BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Critical Remotely Exploitable Vulnerability Discovered in Oracle WebLogic Server

Critical Remotely Exploitable Vulnerability Discovered in Oracle WebLogic Server

This item in japanese

Bookmarks

Security researchers have discovered a new remotely exploitable vulnerability in Oracle WebLogic Server (WLS). The vulnerability, assigned CVE-2019-2725, is remotely exploitable without user authentication and has an overall CVSS score of 9.3 out of 10, making it a critical vulnerability.

Oracle released a security alert noting that versions of the server affected by this flaw include 10.3.6.0 and 12.1.3.0. The flaw, which is easily exploitable, is already being actively exploited in the wild to install ransomware, crytocoin miners, and possibly other malicious software. Oracle "strongly recommends that customers apply the updates" as soon as possible.

At its core, the flaw is due to insufficient validation of deserialized XML data. With a specially crafted SOAP request, attackers can gain full code execution privileges on the server.

More specifically, the vulnerability exists in the async component of WLS on the /_async/AsyncResponseService endpoint. This endpoint is an internal endpoint used to handle the asynchronous request-response features.

When the AsyncResponseService endpoint receives a request, it iterates through a list of handlers allowing each handler an opportunity to handle the request. One particular handler, the WorkAreaServerHandler makes use of the WorkContextXmlInputAdapter which in turn makes use of the XMLDecoder. This is the point at which the vulnerability occurs.

XMLDecoder is very similar in nature to an ObjectInputStream used to consume Serializable objects with the difference being the XMLDecoder utilizes an XML format to describe the serialized objects instead of a binary format. Without proper sanitation of input, arbitrary Java objects can be deserialized.

Unfortunately, this vulnerability is not the first of its kind for WebLogic or Java. A similar vulnerability was reported in WebLogic in 2017 (CVE-2017-10271). And Java in general is no stranger to deserialization vulnerabilities as covered previously in the InfoQ article, The State of Java Serialization. Recognizing the need to stop these kind of vulnerabilities, JEP-290 was introduced and released as part of Java 9.

Oracle recommends to apply the patch immediately to resolve this issue. Other, non-official, recommendations include blocking access to all /_async/* URLs or deleting the WAR file and any related files for the async functionality.

Rate this Article

Adoption
Style

BT