WebLogic deserialization 0day vulnerability CVE-2019-2725 patch to bypass）early warning-vulnerability warning-the black bar safety net

2019 06 May 15, 360CERT monitored in the field of Oracle Weblogic remote deserialize command execution vulnerability, the vulnerability to bypass the latest Weblogic patch（CVE-2019-2725, the attacker can send a carefully constructed malicious HTTP request, unauthorized remote execution of commands. The current official patch is not released, the vulnerability details are not disclosed. 360CERT the assessment after determination of the vulnerability of the integrated rating of“high risk”, it is strongly recommended that affected users as soon as possible in accordance with the temporary repair proposal for temporary disposal, to prevent the receive the attacker’s attack.

0x01 vulnerability details
The vulnerability is targeting 2019 4 on Weblogic patch the bypass, mainly due to the support Weblogic JDK version is defective and causes an attacker can bypass the patches in the remote execution of arbitrary commands.
! [](/Article/UploadPic/2019-6/2019617163215977. png)

0x02 affect the scope of the
Affected products:
Oracle WebLogic Server10. 3. 6. 0. 0
Oracle WebLogic Server12. 1. 3. 0. 0
Affected components:
wls9_async_response. war
wls-wsat. war

0x03 repair recommendations
Delete wls9_async_response. war and wls-wsat. war file and related folder and restart the Weblogic service. The specific path is:
10.3.* Version:
\Middleware\wlserver_10. 3\server\lib\
%DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\
%DOMAIN_HOME%\servers\AdminServer\tmp\. internal\
12.1.3 version:
\Middleware\Oracle_Home\oracle_common\modules\
%DOMAIN_HOME%\servers\AdminServer\tmp\. internal\
%DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\
Through the access policy control disable /_async/* path of the URL to access the
Timely upgraded to support Weblogic Java version.