[Alert] WebLogic WLS-ASYNC Deserialization RCE Vulnerability

26/04/2019 10:25:17
Recently, CNVD exposed a deserialization remote command execution vulnerability (CNVD-C-2019-48814) in WebLogic’s WLS-ASYNC component in its security updates.  The severity level of this vulnerability is rated as high. This vulnerability is caused by the flaws in the WLS9-ASYNC component when deserializing input information. Unauthorized attackers may exploit this vulnerability to send malicious HTTP requests which are carefully crafted to get access to servers and execute remote command.

Sangfor security team responded and sent out alerts immediately and followed up this security event.

Severity: High

Summary



Vulnerability Analysis

- About WebLogic

▪ WebLogic is an application server, or a JAVAEE-based middleware components provided by Oracle Corporation. It is used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.

▪ Many managed large-scale websites  are currently employing Java and Java Enterprise. Weblogic is one of the mainstream Java (J2EE) application servers, and the first commercialized J2EE application server, boasting high scalability, flexibility and reliability.

- Vulnerability Analysis

▪ The vulnerability (CNVD-C-2019-48814) in the component WLS9-ASYNC of WebLogic server allows attackers to input malicious XML data through the path /_async/AsyncResponseService. When incoming data are deserialized on the server, malicious code contained in those data is executed so that attackers can get control over the server.

- Vulnerability Reproduction

▪ Download WebLogic10.3.6.0 on a machine and take it as target. Make the directory /_async/AsyncResponseService open to public.

▪ Input crafted XML data to launch attacks, as shown below:



Impacts

Globally, there are over 35,894 WebLogic-based servers are open to the Internet, among which over 10,000 are located in China.

Affected Versions
WebLogic 10.* and 12.1.3.0

Solutions

- Sangfor Solutions

Sangfor Security Team  immediately released an update and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply update security capabilities and turn on the corresponding security protection feature.

Remediation Solution

▪ Since Oracle has not released official patch for the vulnerability, you can adopt the following measures for temporary protection:

1. Set URL access control policy to block access to the /_async/* directories.

2. Delete the .war file and its related folders and re-launch Weblogic service. Specific /_async/* directories for different versions:

For WebLogic 10.3.*:

▪ \Middleware\wlserver_10.3\server\lib\bea_wls9_async_response.war

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\bea_wls9_async_response.war

For WebLogic 12.1.3:

▪ \Middleware\Oracle_Home\oracle_common\modules\com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.bea-wls9-async-response_12.1.3

References

http://www.cnvd.org.cn/webinfo/show/4989

Appendix

None

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2019 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.