Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201993883
HistoryApr 26, 2019 - 12:00 a.m.

WebLogic Server exposure to high-risk remote command execution 0 day vulnerability-a vulnerability warning-the black bar safety net

2019-04-2600:00:00
佚名
www.myhack58.com
186
JSON

Recently, Ali cloud security team monitored, by the National information security vulnerabilities sharing platform CNVD)included in the Oracle WebLogic wls9-async deserialization remote command execution vulnerability CNVD-C-2019-48814 be attacker, the unauthorized remote execution command. The vulnerability ever since the use of the HTTP Protocol, instead of the t3 Protocol, used by hackers for large-scale mining act.
Currently this vulnerability on WebLogic 10. X and WebLogic 12.1.3 two versions are affected. Oracle has not yet released an official patch, vulnerability details and real PoC are also not disclosed.
A WebLogic Server the vulnerability is?
WebLogic Server is the United States Oracle of Oracle the company the development of a suitable cloud environment and the traditional environment of the application service middleware, it provides a modern, lightweight development platform that supports applications from development to production lifecycle management, is widely used in insurance, securities, banking and other financial areas.
Second, WebLogic Server vulnerability development and defense process
2019 4 December 17, CNVD published number for CNVD-C-2019-48814 WebLogic vulnerabilities, that the vulnerability affected the war package for bea_wls9_async_response. war. wls9-async component of WebLogic Server provides asynchronous communication service, the default application in WebLogic part version. Since the war a package during the deserialization process the input information when the presence of the defect, an attacker by sending a carefully constructed malicious HTTP request, you can get the target server’s permissions, unauthorized remote execution of commands.
Ali Cloud Web Application Firewall, or WAF monitoring to the vulnerability immediately after analysis, found that in addition to bea_wls9_async_response. war outside, wls-wsat. the war also affected by the vulnerability. 4 on 21 May, Ali Cloud for the vulnerability is to update the default defense rule, open to intercept, to achieve the user domain access to protection.
4 May 23, CNVD additional notice said the vulnerability affected the war package includes not only the bea_wls9_async_response. war, further comprising the wls-wsat. war. The war pack provides WLS-WebServices routing, WLS-WebServices feature uses the XMLDecoder to parse the XML data. Ali Cloud WAF no need to update any rules to default protection.
Vulnerability attack demo
Currently, Ali Cloud Monitoring, Cloud has appeared for the vulnerability of large-scale scanning behavior, the attack traffic figure are as follows, Ali Cloud WAF users are unaffected.
!
The use of the vulnerability attack traffic figure
Third, the security recommendations
Since the Oracle official temporarily not to publish the patch, Ali cloud security team gives the following solution:
· Use WebLogic Server to build the website The Information Systems operators carry out self-examination, found that the vulnerability exists, immediately remove the affected two wars, and restart the WebLogic service;
· Because the affected two wars to cover the route more, as shown below, it recommended the adoption of policy prohibiting /_async/* and /wls-wsat/* path of the URL access;
Ali Cloud WAF can be the vulnerability for the default protection, you can choose to access Ali Cloud WAF for protection, to avoid the vulnerability caused greater losses.

JSON