Security researchers have discovered a new remotely exploitable vulnerability in Oracle WebLogic Server (WLS). The vulnerability, assigned CVE-2019-2725, is remotely exploitable without user authentication and has an overall CVSS score of 9.3 out of 10, making it a critical vulnerability.
Oracle released a security alert noting that versions of the server affected by this flaw include 10.3.6.0 and 12.1.3.0. The flaw, which is easily exploitable, is already being actively exploited in the wild to install ransomware, crytocoin miners, and possibly other malicious software. Oracle "strongly recommends that customers apply the updates" as soon as possible.
At its core, the flaw is due to insufficient validation of deserialized XML data. With a specially crafted SOAP request, attackers can gain full code execution privileges on the server.
More specifically, the vulnerability exists in the async component of WLS on the /_async/AsyncResponseService
endpoint. This endpoint is an internal endpoint used to handle the asynchronous request-response features.
When the AsyncResponseService
endpoint receives a request, it iterates through a list of handlers allowing each handler an opportunity to handle the request. One particular handler, the WorkAreaServerHandler
makes use of the WorkContextXmlInputAdapter
which in turn makes use of the XMLDecoder
. This is the point at which the vulnerability occurs.
XMLDecoder
is very similar in nature to an ObjectInputStream
used to consume Serializable
objects with the difference being the XMLDecoder
utilizes an XML format to describe the serialized objects instead of a binary format. Without proper sanitation of input, arbitrary Java objects can be deserialized.
Unfortunately, this vulnerability is not the first of its kind for WebLogic or Java. A similar vulnerability was reported in WebLogic in 2017 (CVE-2017-10271). And Java in general is no stranger to deserialization vulnerabilities as covered previously in the InfoQ article, The State of Java Serialization. Recognizing the need to stop these kind of vulnerabilities, JEP-290 was introduced and released as part of Java 9.
Oracle recommends to apply the patch immediately to resolve this issue. Other, non-official, recommendations include blocking access to all /_async/*
URLs or deleting the WAR file and any related files for the async functionality.