Oracle WebLogic WLS Security Component RCE (CVE-2019-2725)

On April 21, 2019, information regarding a deserialization vulnerability in Oracle WebLogic Server was published by KnownSec 404 Team. According to the CVE, the vulnerability exists in the Web Services subcomponent of Oracle WebLogic. Similar to the previous Oracle WebLogic vulnerability discussed above, this new vulnerability also stems from unsafe deserialization that leads to RCE. Threat actors wasted no time in adding this zero-day threat vector in their arsenals, and we started detecting campaigns with the payload for CVE-2017-10271 but the endpoint for CVE-2019-2725.

Various PoC exploits were posted online, but initially none of them targeted the newly found vulnerability. Instead, they used an older Java code injection gadget. Oracle had released a patch for this vulnerability in October 2017. Therefore, if the correct patches had been applied to an installation of Oracle WebLogic servers, the initial few threat campaigns would not have been fruitful for the threat actors.

On April 26, Oracle released an out-of-band security alert for CVE-2019-2725 clarifying that this is a different vulnerability from CVE-2017-10271 and recommending that affected systems be patch as soon as possible. The vulnerability exists in the wls9_async_response.war package. This package is included by default in some versions of Oracle WebLogic Server and provides asynchronous communication for the WebLogic Server service. The unsafe deserialization vulnerability exists within weblogic.wsee.async.AsyncResponseBean class.

To exploit this vulnerability, a threat actor needs to construct a normal SOAP message. Within the message, the threat actor then needs to assign values to weblogic.wsee.addressing.RelatesTo to reach the unsafe deserialization point. The most commonly detected classes to exploit this vulnerability are:

• oracle.toplink.internal.sessions.UnitOfWorkChangeSet
• com.sun.rowset.JdbcRowSetImpl
• org.slf4j.ext.EventData
• java.lang.ProcessBuilder
• com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

As shown in Figure 3, the threat actor sends this request to a WebLogic server. If the server is vulnerable, it will send an HTTP 202 response back indicating that it’s vulnerable.