ASA-2019-00239 – WebLogic: wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00239

Identifier(s)

ASA-2019-00239, CVE-2019-2725, CNVD-C-2019–48814

Title

wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability

Vendor(s)

Oracle

Product(s)

Oracle WebLogic Server

Affected version(s)

Oracle WebLogic Server 10.3.6.0.0
Oracle WebLogic Server 12.1.3.0.0

Fixed version(s)

Critical Patch Update April 2019

Proof of concept

Yes

Description

This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability. This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

Technical details

Unknown

Credits

Badcode (Knownsec 404 Team), Hongwei Pan (Minsheng Banking Corp.), Liao Xinxi (NSFOCUS Security Team), Lin Zheng (Minsheng Banking Corp.), Song Keya (Minsheng Banking Corp.), Tianlei Li (Minsheng Banking Corp.), ZengShuai Hao and Zhiyi Zhang (360 ESG Codesafe Team)

Reference(s)

Oracle Security Alert Advisory – CVE-2019-2725
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April)
https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

Oracle Weblogic Server – ‘AsyncResponseService’ Deserialization Remote Code Execution (Metasploit)
https://www.exploit-db.com/exploits/46814

WebLogic RCE (CVE-2019–2725) Debug Diary
https://medium.com/@knownsec404team/weblogic-rce-cve-2019-2725-debug-diary-bb5b3b8b9e6

关于Oracle WebLogic wls9-async组件存在反序列化远程命令执行漏洞的安全公告
http://www.cnvd.org.cn/webinfo/show/4989

WebLogic RCE (CVE-2019-2725) Debug Diary
https://paper.seebug.org/910/

Weblogic XMLDecoder RCE分析
https://paper.seebug.org/487/

CVE-2019-2725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725

CVE-2019-2725
https://nvd.nist.gov/vuln/detail/CVE-2019-2725

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.