Unpatched Vulnerability Alert - WebLogic Zero Day

Published: 2019-04-25
Last Updated: 2019-04-26 20:48:34 UTC
by Rob VandenBrink (Version: 4)
9 comment(s)

The news today is full of a new deserialization vulnerability in Oracle WebLogic.  This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected).  The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war.  A successful attack gets the attacker remote code exec on the vulnerable server.

The root cause here seems to be that the affected WAR components ingest and process all serialized data, and have a blocklist of "bad" content.  What this means to me is that we're likely to see a number of similar vulnerabilities / attacks crop up over the next while, until Oracle changes this approach.

Indications are that this is in the "tens of thousands" of affected sites, not hundreds or thousands or millions (not yet at least).

The vulnerability is posted as CNVD-2018-07811 (China National Vulnerability Database) at http://www.cnvd.org.cn/flaw/show/CNVD-2018-07811.  We don't have a CVE yet.

This bug was originally disclosed by the China Minsheng Banking Co.  There's a good write-up by the KnownSec 404 Team with  a bit more detail here: https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

This comes just one week after Oracle's "Patch Everything" Critical Patch Update (CPU) last week.  The next CPU isn't due for 3 months, so it'll be interesting to see what the out-of-band response patch or patches (if any) to this might be.

Stay tuned - we'll udpate this story as we get more information - in particular if we see attacks in the wild we'll post IoC's as we get them.

======= Update 1 =======

Thanks to our reader who commented below!

The matching CVE number for this is CVE-2018-2628, which was identified as patched last year (Oracle's CPU - Critical Patch Updates found here https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html ).  However the POC mentioned was against a patched server, so I guess the patch isn't complete - nor can it be given Oracle's approach against this issue.

======= Update 2 =======

POC posts are at:
https://twitter.com/jas502n/status/1121120045617176576
https://twitter.com/jas502n/status/1120911506785230848

POC code is here (we have not tested this, so use this at your own risk):
https://github.com/jas502n/CVE-2018-2628

======== Update 3 ==============

Thanks to one of our readers ("anonymous" in the comment section :-) ) who gave us the heads-up that Oracle gave this a new CVE and has released a patch for it.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
https://blogs.oracle.com/security/security-alert-cve-2019-2725-released

Note though that the underlying vulnerability for all of these problems is how the associated attacks are detected - with a blocklist of "known badness" for deserialization.  What this means is that while this specific case has been patched for, we should look for similar, perhaps even nearly-identical issues to continue to crop up on this product.  Even with the patch out, for this reason I'd still suggest that WebLogic admins disable or ACL the affected WAR components if at all possible.  If not, be sure that your server is virtualized and you have an image backup, you might need it

9 comment(s)

Comments

The CVE listed on the CNVD is CVE-2018-2628 and they also list a security tracker link: https://securitytracker.com/id/1040696 The security tracker link says there is patch for one of the exploit versions, and that this is being actively being exploited.

https://www.screenshotmachine.com/serve.php?img=cnvd-org-cn-1024x768desktop-9ee21f.png

Can you please clarify if this data is in fact related to your post?

Security tracker info:

SecurityTracker Alert ID: 1040696
SecurityTracker URL: http://securitytracker.com/id/1040696
CVE Reference: CVE-2018-2628 (Links to External Site)
Updated: May 3 2018
Original Entry Date: Apr 17 2018
Impact: User access via network
Vendor Confirmed: Yes
Version(s): 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
Description: A vulnerability was reported in Oracle WebLogic Server. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Oracle WebLogic Server WLS Core Components to gain elevated privileges.

This vulnerability is being actively exploited.

Liao Xinxi of NSFOCUS Security Team and loopx9 reported this vulnerability.
Impact: A remote user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix as part of the April 2018 Critical Patch Update.

[Editor's note: It is reported that the patch blocks one exploit method but does not correct the underlying vulnerability and does not prevent exploitation: https://twitter.com/gossithedog/status/987448846887411712]

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Vendor URL: www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html (Links to External Site)
Cause: Not specified
Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)
Thanks for the CVE number!
I do see it mentioned on the CNVD note now, and in the Oracle CPU notes, but the POC mentioned was against a server with the latest CPU's applied.

We were discussing this internally with the ISC team, it sounds like the deserialization protections enumerate "known badness", and successive updates to this code just adds to the list of specific "this works" signatures. So the underlying problem has not been fixed, which explains why the POC is working on a fully patched server
Is the POC public and where is it available?
So the underlying vulnerability of enumerating everything, that was discovered last year, wasn't actually "patched", just that the specific exploit mentioned there was added to the blacklist that's compared after enumeration? If the underlying problem of enumerating anything that's sent and comparing it to the blacklist still exists, new ways to break it on enumeration will probably continue to be discovered...
Hi,

I'm really confused by this post. KnownSec 404 Team references http://www.cnvd.org.cn/webinfo/show/4989 with an ID of CNVD-C-2019-48814. I'm not sure this is related to the 2018 CVE referenced.

Also, I looked at this CPU from Oracle and I see a CVE-2019-2628, not a CVE-2018-2628.

ZDNet indicates the 2018 CVE is a separate issue: "Other attacks have also been detected aimed at CVE-2018-2628 and CVE-2018-2893, another set of Oracle WebLogic flaws." https://www.zdnet.com/article/new-oracle-weblogic-zero-day-discovered-in-the-wild/

Could you please clarify?
The "patch" for this was in the Oracle CPU for April 2018, that one does list CVE-2018-2826 (which is the bug we're discussing)
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Unfortunately, as discussed this patch was all about updating a blacklist. This approach doesn't seem to be working out so well for them :-)

The reason the timing is so unfortunate is that this happened just after the Oracle CPU patches for April 2019 were released. This means that the next set of patches isn't scheduled for another 3 months (unless they fix this one out of band).

Or maybe the timing is a good thing - they might take those 3 months and change how they're mitigating against this "style" of deserialization attacks.

In the meantime, the mitigations suggested take care of all similar attacks (against those components anyway), so that'd be my approach, as long as the app doesn't require those components.
(sorry about the "oops" on the original post, the patch was in last year's CPU updates, it's corrected)
Please clarify: The CNVD published the vulnerability as CNVD-C-2019-48814

http://www.cnvd.org.cn/webinfo/show/4999

But the link mentioned in the post is 2018. The post by Knownsec also linked to the above link, not 2018. Thanks.
Oracle just released a Security Alert Advisory for this issue.
The official CVE# is: CVE-2019-2725.

The Advisory:
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Blog post clarifying that this issue is *NOT* CVE-2018-2628, CVE-2018-2893, and CVE-2017-10271.
https://blogs.oracle.com/security/security-alert-cve-2019-2725-released

Diary Archives