Oracle WebLogic Remote Code Execution (CVE-2019-2729)
Recently an additional method was found to bypass the recent patch (CVE-2019-2725) for unsafe deserialization in “wls9_async_response” component of Oracle WebLogic. The vulnerability allows attackers to send a malicious XML payload to an endpoint residing in this component which will be deserialized by Java XMLDecoder into Java objects. This is the fourth time researchers are finding their way around Oracle attempts to patch such vulnerabilities in this specific component - CVE-2017-3506, CVE-2017-10271, CVE-2019-2725 and now CVE-2019-2729. In each of the previously patched vulnerabilities Oracle’s approach was to use a blacklist approach – searching for certain XML tags in the received XML document that could allow attackers to execute code. The exploitation of this vulnerability is targeting older JDK version (1.6) where the implementation of XMLDecoder is slightly different. In order to avoid using the “class” tag, which was blacklisted by Oracle in the recent patch, attackers could take advantage of the fact that older versions of XMLDecoder support the “method” attribute for a tag. Now all the attacker needs to do is passing an “array” tag with a “method” attribute containing the “forName” method, which returns a Class object for a given name, thus making it equivalent to directly passing “class” tag as in the original exploit. Figure 1: CVE-2019-2725 exploit payload compared to CVE-2019-2729 Mitigating the vulnerability with BIG-IP ASM As the exploitation of the vulnerability relies on the same Java deserialization gadgets as were used in the exploitation of CVE-2019-2725 BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Figure 2: Exploitation attempt detected by signature id 200004756 Additional References https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15 https://meterpreter.org/weblogic-rce-vulnerability-cve-2019-2725-patch-bypassed/
Load Balance Host Headers
I posted last week asking for assitance load balancing WebLogic apps. I received some good responses, but they didn't work. I submitted an F5 support case and was basically told they don't help build new configurations, only fix "broken" ones and I should use professional services. I found some third party WebLogic admin books that suggest load balancers should NOT replace proxies, but be used with them. So my current isue. I had an existing IIS server using host headers to accept the incoming requests, handle SSL requirements and proxy (forward) HTTP requests to some WebLogic nodes. I changed DNS and put F5 in front of this (still using a single VIP entry point) to route to the same IIS box then proxy to WebLogic. With this setup I have a few sites (4 out of 11) that seem ok. The rest show infinite loops on the redirects. I've rechecked the IIS config multiple times to make sure the SSL redirects were removed and sites are now HTTP only. The IIS logs seem to show that the traffic actually never gets to the IIS server. I can't seem to figure out how I introduced this redirect. I'm wondering if I need to remove the idea of "host headers" on IIS or F5 or both to get this stable and working.
F5 routing tcp traffic to WebLogic Managed servers
Hi, I have cluster WebLogic server (ver 12.2.1.3) hosting JMS server with distributed queues and topic. 1) When jms client connects to these WebLogic manage servers over t3://WL1:7001,WL2:7001, it works as expected that rules out any issues with WebLogic.. 2) Now, when I try adding F5 (as external load balancer with virtual service and virtual port # same as backend WebLogic servers) and run jms client using t3://f5jms:7001, it works as expected... 3) However, when the virtual server port is changed to something else (other than what is used by backend WL server), client throws following error, t3://f5jms:8001 java.net.SocketException: Connection reset; No available router to destination.; nested exception is: java.rmi.ConnectException: No available router to destination. [Root exception is java.net.ConnectException: t3://XXXXXXXXX:8002: Destination XXXXXX, 8002 unreachable.; nested exception is: java.net.SocketException: Connection reset; No available router to destination.; nested exception is: java.rmi.ConnectException: No available router to destination.] I don't see any error message in WL server logs or anything related to the traffic.. I took tcpdump on host where WL server is hosted, see traffic coming to WebLogic server from SNAT ip (F5), however I don't see any ACK back from WebLogic to SNAT, finally SNAT gives up and RST is issued.. I tried searching on the forum, closest I could get is https://devcentral.f5.com/s/question/0D51T00006i7gTNSAY/how-connect-weblogic-t3-protocol-with-virtual-server (few years old question), where person posting question clearly stated that ""if you want to connecto to a wlst or a jms connection factory, the VS port must be the same of the weblogic server where the jms connection factory and the queue was create, or where you connect to wlst cli"", does it mean that VS port needs to match what is used on WebLogic servers and curious if it is possible to have VS port and backend WL port different by means of passing any JVM argument etc?Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)
In October 2017 Oracle have published a vulnerability concerning Oracle WebLogic and assigned CVE-2017-10271 to it. Since then no public information regarding this vulnerability was availableuntil a few days ago, when an analysis of the vulnerability and a Proof-of-Concept exploit were published. The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic. Attackers may send a crafted XML document to the aforementioned web service which will cause WebLogic to deserialize it and consequently allow an attacker to construct arbitraryJava objects and invoke their methods resulting inremote code execution. Figure 1: Part of the request exploiting the vulnerability. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by an existing Javacode injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Figure 2: Exploitation attempt blocked by signature id 200004174. We will be also releasing a dedicated signature in the upcoming ASM Security Update.
How to setup F5 Big-IP LTM for Weblogic on different ports, same IP
Hi Everyone, I am a Weblogic/Oracle DB administrator. Currently we are establishing our web application on a Weblogic Cluster using two redundant Big-IP 1600 LTM devices. We have a 9-node Weblogic cluster on 3 different AIX 7.1 machines (each machine has 3 different Virtual Servers). Our F5 consultants have asked us to establish our Virtual servers on different IPs due to some constraints on F5 LTM that you cannot have more than one pool member with the same IP. So we tried multihoming on our cluster (to use more than one NIC with different IP addresses and bind each Weblogic Virtual Server to each one of them) but later we found out that multihoming causes issues with Weblogic internal messaging system. What we are currently looking at is to have one IP per machine and running our Virtual Servers on a different port. But it seems it causes issues for F5 in configuration. How we can deal with this? Anyone has any ideas? So far, I've found two solutions : IP teaming and reverse proxy, we are still investigating these two but due to some project constraints we might not be able to proceed with these two. I wanted to know if there is something inside F5 (like iRule) to direct the requests to different VIP/Ports. Let me know if "any" ideas on "any" layers came into your mind!
Oracle Weblogic with F5 issue,Jsession your session has expired
What can be done to resolve an issue on an oracle weblogic VIP which offloads SSL, The page loads and a "YOUR SESSION HAS EXPIRED" message is popped out,and the page redirects back to login page. When the backend servers are called directly, no such error is encountered. I already deployed an iapp for this,and it didn't solve the issue.Oracle WebLogic Server
F5 and Oracle have long collaborated on delivering market-leading application delivery solutions for WebLogic Server. F5 has designed an integrated, agile, and adaptable network platform for delivering WebLogic applications across the LAN and WAN, and packaged this information in our deployment guides and iApp templates. The result is an intelligent and powerful solution that secures and speeds your WebLogic deployment today, while providing an optimized architecture for the future. The following simple, logical configuration example shows one of the ways you can configure the BIG-IP system for Oracle WebLogic Servers using BIG-IP AAM technology to speed traffic across the WAN. See https://f5.com/solutions/deployment-guidesto find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Oracle WebLogic Server. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at solutionsfeedback@f5.com. We use your feedback to help shape our new iApps and deployment guides.
WebLogic universal persistance - multiple (JSESSIONID) cookie names
Hello experts, we have a customer which uses a Java Web-Application hosted on WebLogic middleware. In the past this was quite simple, we used this iRule for managing the universal persistance: when HTTP_REQUEST { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionid=" 11] if { $jsess != "" } { persist uie $jsess 300 } } } when HTTP_RESPONSE { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } } This worked ever fine. But now the customer has multiple Java Web-Applications configured in WebLogic, each of them uses seperate Cookie names. So JSESSIONID (as before), but also new SESSIONIDA, JSESSIONIDB and JSESSIONIDC. All must be served over one Loadbalancer virtual server, we we have to manage the complexity in the iRule on the F5. Note: We can use the same selected node node for one client, but also seperate per Cookie name, so per application to another selected node in the Backend - this is not relevant. This is what I think it should work, but it doesn't. Please don't blame me regarding efficiency, I know it is worse. (But am no iRule expert.) Pure funcionality is Prio-1 for us. when HTTP_REQUEST { if { [HTTP::cookie "JSESSIONID"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } elseif { [HTTP::cookie "JSESSIONIDA"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDA"]] 300 } elseif { [HTTP::cookie "JSESSIONIDB"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDB"]] 300 } elseif { [HTTP::cookie "JSESSIONIDC"] ne "" } { persist uie [string tolower [HTTP::cookie "JSESSIONIDC"]] 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionid=" 11] if { $jsess != "" } {persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionida=" 11] if { $jsess != "" } { persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionidb" 11] if { $jsess != "" } { persist uie $jsess 300 } else { set jsess [findstr [string tolower [HTTP::path]] "jsessionidc" 11] if { $jsess != "" } { persist uie $jsess 300 } } } } } } when HTTP_RESPONSE { if { [HTTP::cookie "JSESSIONID"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONID"]] 300 } if { [HTTP::cookie "JSESSIONIDA"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDA"]] 300 } if { [HTTP::cookie "JSESSIONIDB"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDB"]] 300 } if { [HTTP::cookie "JSESSIONIDC"] ne "" }{ persist add uie [string tolower [HTTP::cookie "JSESSIONIDC"]] 300 } } I would like to thank you in advance for any hint on my problem here...VIP is not accessible but direct servers are reachable
I have a scenario where the VIP is not reachable but the pool members are reachable. My virtual server is 10.1.130.100:5003, my pool members are 10.1.130.83:5003,10.1.130.85:5003,10.1.130.87:5003,10.1.130.89:5003. I created an iapp based on Weblogic for it,I have AUTOMAP enabled but the application owners insist,they can't access the VIP, but can access the individual pool members directly. What is the solution to this.
