Jump to content
Sign in to follow this  
The AchieVer

'Highly Critical' Unpatched Zero-Day Flaw Discovered In Oracle WebLogic

Recommended Posts

The AchieVer

'Highly Critical' Unpatched Zero-Day Flaw Discovered In Oracle WebLogic

 
oracle weblogic server vulnerability

 

A team of cybersecurity researchers today published a post warning enterprises of an unpatched, highly critical zero-day vulnerability in Oracle WebLogic server application that some attackers might have already started exploiting in the wild.

Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud. It's popular across both, cloud environment and conventional environments.

Oracle WebLogic application reportedly contains a critical deserialization remote code execution vulnerability that affects all versions of the software, which can be triggered if the "wls9_async_response.war" and "wls-wsat.war" components are enabled.

The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.

 

oracle weblogic server vulnerability
 
"Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization," explains Chinese National Information Security Vulnerability Sharing Platform (CNVD).
The researchers also shared details of the zero-day vulnerability, tracked as CNVD-C-2019-48814, with the Oracle's team, but the company has not yet released a patch. The affected Oracle WebLogic versions are as follows: 
 
  • WebLogic 10.X
  • WebLogic 12.1.3

According to the ZoomEye cyberspace search engine, more than 36,000 WebLogic servers are publicly accessible on the Internet, though it's unknown how many of these have the vulnerable components enabled.


A maximum number of Oracle WebLogic servers are deployed in the United States and China, with a lesser number in Iran, Germany, India, and so on.

 

oracle weblogic server vulnerability

 

Since Oracle releases security updates every three months and had already released a Critical Patch Update just this month, this zero-day issue is unlikely to be patched anytime soon (i.e., not before July), unless the company decides to roll out an out-of-band security update.

So, until the company releases an update to patch the vulnerability, server administrators are highly recommended to prevent their systems from exploitation by changing either of the two following settings:

 

  • Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or 
  • Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

 

Since Oracle WebLogic servers are an often target of attackers, there will be no surprise if attackers have already started exploiting this zero-day and then use vulnerable servers for their nefarious purposes.
 
 
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...