Researchers flag new Oracle WebLogic zero-day RCE flaw

By ice41 | 6:32 AM Leave a Comment

Attackers looking to compromise Oracle WebLogic servers for their own needs have a new zero-day RCE flaw at their disposal.

Oracle WebLogic zero-day RCE

“Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability. This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled,” KnownSec 404 researchers warn.

About Oracle WebLogic

Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. Its last stable release – 12cR2 (12.2.1.3) – dates back to August 2017.

According to the researchers, tens of thousands WebLogic servers can be found across the world, predominantly deployed in the US and China but also in Iran, Germany, India, and so on. How many of these are actually vulnerable is yet unknown.

OPIS

The danger

Oracle WebLogic Servers are often targeted by attackers, who are usually intent on compromising them and using their copious resources for covert crypto-mining.

Although, as they are often deployed in enterprise settings and connected to other enterprise systems, they could also be exploited to steal sensitive data (PII, IP, etc.).

Oracle recently released a Critical Patch Update and the next one is scheduled for July. If the company decides against publishing an out-of-band security update for this flaw, the researchers advise server administrators to keep their machines safe from exploitation by either:

  • Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or by
  • Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

While the researchers did not publish an exploit for the flaw, there’s no doubt that attackers will create one soon and start prowling for vulnerable installations.

The flaw has been reported to Oracle, but is yet to receive a CVE number. It can be currently tracked under the following identifier: CNVD-C-2019-48814.


from Help Net Security http://bit.ly/2PsZxpq
Related Items

0 comments:

Post a Comment