9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%
6 May 11, Ali cloud security team found WebLogic CVE-2019-2725 patch to bypass the 0day vulnerabilities, and First Time reported in Oracle official, 6 January 12, get Oracle official confirmation. Since Oracle has not yet released an official patch, vulnerability details and real PoC are not disclosed, to protect client security, Ali Cloud Web Application Firewall WAF emergency update rule, has been achieved on the vulnerability of the default defense.
A, vulnerability introduction
WebLogic Server is the United States Oracle of Oracle the company the development of a suitable cloud environment and the traditional environment of the application services middleware, is widely used in insurance, securities, banking and other financial areas.
The discovery of WebLogic CVE-2019-2725 patch to bypass the 0day vulnerabilities ever because of the use of the HTTP Protocol, instead of the T3 Protocol, used by hackers for large-scale mining and other behavior. WebLogic 10. X and WebLogic 12.1.3 two versions are affected.
In view of the vulnerability of high-risk severity, Ali Cloud remind cloud customers are highly concerned about their own business whether to use WebLogic, and whether the open/_async/ and /wls-wsat/access path. In addition, as the Ministry of Public Security Shield network, please protect network customers to focus on.
Second, WebLogic Server vulnerability found
Ali cloud security team to use the Oracle official JDK8u211 version, and played it in 4 months of CVE-2019-2725 patch, for testing, found that the vulnerability exists. Since WebLogic Server is widely used, visible the vulnerability of the large.
! [](/Article/UploadPic/2019-6/201961816820774. png)
Vulnerability attack demo
The vulnerability is the use of JDK1. 7 and above versions of JDK feature bypass CVE-2019-2725 patch for XMLDecoder label restrictions, the following is CVE-2019-2725 patch for the class label of the filter.
! [](/Article/UploadPic/2019-6/201961816821715. png)
Third, the security recommendations
Since the Oracle official temporarily not to publish the patch, Ali cloud security team gives the following solution:
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%