Zero day remote code execution in Oracle WebLogic Server
CVE: Not known - CNVD-2018-07811 (China National Vulnerability Database)
CVE Score: 9.8
Sources
https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+Alert+WebLogic+Zero+Day/24880/
https://thehackernews.com/2019/04/oracle-weblogic-hacking.html
https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93
Risks
Oracle WebLogic Server is affected by a remote code execution vulnerability. It allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request, without requiring any authorization.
Two proofs of concept are available on the web. This vulnerability is currently actively exploited into the wild.
Description
The vulnerability, spotted by the researchers from KnownSec 404, concerns Oracle WebLogic Server. It contains a critical deserialization remote code execution vulnerability which can be triggered via 2 components: “wls-wsat.war" and "wls9_async_response.war". Those “WAR” processes are responsible for ingesting serialized data.
Recommended Actions
Oracle has released a patch and revised their critical security patches bundle of april. CERT.be recommends administrators to patch vulnerable systems after thorough testing.
For more information concerning the security patch you can visit this link : https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Update 20/06/2019:
A new patch has been released : https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html