--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Oracle WebLogic 0-day Vulnerability' version: '1.1' number: '2019-010' date: 'April 29, 2019' --- _History:_ * _26/04/2019 --- v1.0 -- Initial publication_ * _29/04/2019 --- v1.1 -- Update: Oracle patch_ # Summary A highly critical, zero-day vulnerability in Oracle WebLogic server was disclosed. Some attackers might have already started exploiting it in the wild [1, 2, 3]. The vulnerability potentially allows attackers to remotely execute arbitrary commands. Oracle has issued an out-of-band security update to address this vulnerability. # Technical Details Oracle WebLogic is a Java-based enterprise application server. It is used both in cloud and traditional environments. The application server contains a critical _deserialization_ vulnerability that can lead to remote code execution. It affects all versions of the software. The vulnerability received the identification number CVE-2019-2725 [5]. It appears that vulnerability in `wls9_async` and `wls-wsat` components may allow deserialization of malicious code, which could lead to remote command execution. The first component adds support for server asynchronous operations, while the second is the server's security component. The vulnerability was described by the researchers from **KnownSec 404** in [1], and it allows attackers to remotely execute arbitrary commands on the affected servers by sending a specially crafted HTTP request, without requiring any authorization [2]. # Products Affected This vulnerability affects all WebLogic versions (including the latest version) that have the `wls9_async_response.war` and `wls-wsat.war` components enabled. # Recommendations Oracle has issued an out-of-band security update to address this vulnerability for the supported versions (10.3.6.0.0 and 12.1.3.0.0). It is recommended to use the patch as soon as possible. More details are provided in [4]. Alternatively, if using the patch is not immediately possible, there are so far two mitigation techniques that have been identified: * Find and delete: `wls9_async_response.war` and `wls-wsat.war`. Restart the WebLogic service^[Note that this could impact the functionality, if these components are used.]. * Restrict HTTP access for the `/_async/*` and `/wls-wsat/*` URL paths (by access policy control, web application firewall, etc.). # References [1] [2] [3] [4] [5]