WebLogic Server re-aeration at high risk 0 day vulnerability-a vulnerability warning-the black bar safety net

6 May 11, Ali cloud security team found WebLogic CVE-2019-2725 patch to bypass the 0day vulnerabilities, and First Time reported in Oracle official, 6 January 12, get Oracle official confirmation. Since Oracle has not yet released an official patch, vulnerability details and real PoC are not disclosed, to protect client security, Ali Cloud Web Application Firewall WAF emergency update rule, has been achieved on the vulnerability of the default defense.
A, vulnerability introduction
WebLogic Server is the United States Oracle of Oracle the company the development of a suitable cloud environment and the traditional environment of the application services middleware, is widely used in insurance, securities, banking and other financial areas.
The discovery of WebLogic CVE-2019-2725 patch to bypass the 0day vulnerabilities ever because of the use of the HTTP Protocol, instead of the T3 Protocol, used by hackers for large-scale mining and other behavior. WebLogic 10. X and WebLogic 12.1.3 two versions are affected.
In view of the vulnerability of high-risk severity, Ali Cloud remind cloud customers are highly concerned about their own business whether to use WebLogic, and whether the open/_async/ and /wls-wsat/access path. In addition, as the Ministry of Public Security Shield network, please protect network customers to focus on.
Second, WebLogic Server vulnerability found
Ali cloud security team to use the Oracle official JDK8u211 version, and played it in 4 months of CVE-2019-2725 patch, for testing, found that the vulnerability exists. Since WebLogic Server is widely used, visible the vulnerability of the large.
! [](/Article/UploadPic/2019-6/201961816820774. png)
Vulnerability attack demo
The vulnerability is the use of JDK1. 7 and above versions of JDK feature bypass CVE－2019-2725 patch for XMLDecoder label restrictions, the following is CVE-2019-2725 patch for the class label of the filter.
! [](/Article/UploadPic/2019-6/201961816821715. png)
Third, the security recommendations
Since the Oracle official temporarily not to publish the patch, Ali cloud security team gives the following solution:

1. Please use WebLogic Server to build the website The Information Systems operators carry out self-examination, found that the vulnerability exists, immediately remove the affected two wars, and restart the WebLogic service; 2. Because the affected two wars to cover the route more, as shown below, it recommended the adoption of policy prohibiting /_async/ and /wls-wsat/ path of the URL access;
   ! [](/Article/UploadPic/2019-6/201961816821464. png)
   wls-wsat. the war of the routing
   ! [](/Article/UploadPic/2019-6/201961816821982. png)
   bea_wls9_async_response. the war of the routing