cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Harsh_Chawla
F5 Employee
F5 Employee

On 21st of April, information regarding a deserialization vulnerability in Oracle WebLogic was published by KnownSec 404 Team.  Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation.  A quick ZoomEye search reveals that Oracle WebLogic is deployed on over 101,000 servers.
Five days later, Oracle released a security alert CVE-2019-2725 for this vulnerability.

0151T000003d7epQAA.png

Figure 1 Oracle WebLogic has been deployed on over 101,000 servers

Exploit

The vulnerability lies in the wls9_async and wls-wsat components and affects all WebLogic versions.  Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect current threats, and to get an insight into a threat actor’s attack pattern.

Immediately after this vulnerability was first published, we started detecting campaigns by threat actors looking to take advantage of this vulnerability.

0151T000003d7eqQAA.png

Figure 2 One of the malicious requests targeting this vulnerability using an older gadget

0151T000003d7erQAA.png

Figure 3 Another malicious request targeting this vulnerability using an older gadget

However, in both these campaigns, threat actors were targeting the vulnerable WebLogic component endpoint _async utilizing a known Java deserialization gadget.  The same gadgets were also used to execute malicious commands on vulnerable servers by exploiting CVE-2017-10271.

Based on our research, this vulnerability can be exploited using a new gadget.  This gadget uses UnitOfWorkChangeSet class to deserialize bytecode of the payload.  This bytecode object is then passed to XMLEncoder that tries to create an XML file.  Therefore, user defined data which is converted to a bytecode object gets deserialized unsafely that leads to remote code execution.

0151T000003d9C9QAI.png

Figure 4 Sample exploitation request

0151T000003d9CAQAY.jpgFigure 5 Invoking calc by exploiting this vulnerability

Mitigating the vulnerability with BIG-IP ASM

To mitigate against this vulnerability, we have released new Server Side Code Injection signatures for WebLogic system to address the new Java deserialization gadget.

  • 200004754 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet (Parameter)
  • 200004755 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet (Header)
  • 200004756 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet

0151T000003d9CBQAY.png

Figure 6 Newly released signature to detect exploitation of this vulnerability

Exploitation attempts that were observed in the wild utilizing the older Java deserialization gadget will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type.

0151T000003d7esQAA.png

Figure 7 Attack signature for sensitive Java class

0151T000003d7etQAA.png

Figure 8 Attack signature for Java code injection

Further Reading

  1. https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerabil...
  2. https://blogs.oracle.com/security/security-alert-cve-2019-2725-released
Version history
Last update:
‎25-Apr-2019 15:42
Updated by:
Contributors