Recently an additional method was found to bypass the recent patch (CVE-2019-2725) for unsafe deserialization in “wls9_async_response” component of Oracle WebLogic. The vulnerability allows attackers to send a malicious XML payload to an endpoint residing in this component which will be deserialized by Java XMLDecoder into Java objects.
This is the fourth time researchers are finding their way around Oracle attempts to patch such vulnerabilities in this specific component - CVE-2017-3506, CVE-2017-10271, CVE-2019-2725 and now CVE-2019-2729. In each of the previously patched vulnerabilities Oracle’s approach was to use a blacklist approach – searching for certain XML tags in the received XML document that could allow attackers to execute code.
The exploitation of this vulnerability is targeting older JDK version (1.6) where the implementation of XMLDecoder is slightly different. In order to avoid using the “class” tag, which was blacklisted by Oracle in the recent patch, attackers could take advantage of the fact that older versions of XMLDecoder support the “method” attribute for a tag. Now all the attacker needs to do is passing an “array” tag with a “method” attribute containing the “forName” method, which returns a Class object for a given name, thus making it equivalent to directly passing “class” tag as in the original exploit.
Figure 1: CVE-2019-2725 exploit payload compared to CVE-2019-2729
Mitigating the vulnerability with BIG-IP ASM
As the exploitation of the vulnerability relies on the same Java deserialization gadgets as were used in the exploitation of CVE-2019-2725 BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System.
Figure 2: Exploitation attempt detected by signature id 200004756