On April 25, 2019, a team of cybersecurity researchers published a warning describing a remote code execution zero-day flaw in Oracle WebLogic. This vulnerability affects versions 10.X and 12.1.3 of WebLogic that have the components wls9_async_response.war and wls-wsat.war enabled. It is currently believed that Oracle released a patch with CVE-2018-2628, but is now believed that the patch is incomplete that was released in 2018.
NIST assigned CVE-2019-2725 to this vulnerability. Oracle released out-of-band updates for this vulnerability beginning on April 26, which is unusual as Oracle normally only releases patches once per quarter.
Currently, there are over 36,000 publicly accessible servers with WebLogic running. With this vulnerability, an attacker could execute remote commands without the need for authorization. The impact can potentially affect the confidentiality, integrity and availability of the WebLogic server.
Oracle released an out of band update for WebLogic 10.3.6 on April 26 and plans to release an update for WebLogic 12.1.3 on April 29, 2019. The supported way to mitigate this vulnerability is to apply the relevant patch. If you are running a version earlier than 10.3.6, upgrading to 10.3.6 will be necessary before applying the update.
A second mitigation is to find and delete wls9_async_response.war and wls-wsat.war and restart WebLogic. It is also recommended to control URL access for /_async /* and /wls-wsat/* paths by policy control.
Using policy control to protect the /_async/* and /wls-wstat/* paths would be good practice from a hardening standpoint, to provide some protection against future vulnerabilities in the WLS components.
Additionally, limiting outbound traffic from your webserver is a good practice, as this exploit requires a server to reach out to another host to download XML code. If the server can only communicate on its own network, currently known exploits for this code will not work.
The attack works by sending specially crafted XML requests containing embedded code to a WebLogic server. The server executes the code, which instructs it to reach out to a specific malicious host to complete the request. The malicious host then sends another XML response containing additional code to run.
Various security researchers, including researchers at vulnerability management vendor Tenable, have successfully exploited this flaw. Proof-of-concept code has been released to the public and F5 Labs has observed exploits in the wild. Much of the traffic was benign but now that the flaw is known, we can expect to see more active exploitation.
Oracle releases updates every 3 months, and rarely releases out-of-band patches, so it is advised to follow the mitigation instructions above as WebLogic servers are quite often the target of attacks.
Dave Farquhar - Vulnerability Management Subject Matter Expert