Oracle WebLogic Server
F5 and Oracle have long collaborated on delivering market-leading application delivery solutions for WebLogic Server. F5 has designed an integrated, agile, and adaptable network platform for delivering WebLogic applications across the LAN and WAN, and packaged this information in our deployment guides and iApp templates. The result is an intelligent and powerful solution that secures and speeds your WebLogic deployment today, while providing an optimized architecture for the future. The following simple, logical configuration example shows one of the ways you can configure the BIG-IP system for Oracle WebLogic Servers using BIG-IP AAM technology to speed traffic across the WAN. See https://f5.com/solutions/deployment-guidesto find the appropriate deployment guide for quickly and accurately configuring the BIG-IP system for Oracle WebLogic Server. If you have any feedback on these or other F5 guides or iApp templates, leave it in the comment section below or email us at solutionsfeedback@f5.com. We use your feedback to help shape our new iApps and deployment guides.
Oracle WebLogic Remote Code Execution (CVE-2019-2729)
Recently an additional method was found to bypass the recent patch (CVE-2019-2725) for unsafe deserialization in “wls9_async_response” component of Oracle WebLogic. The vulnerability allows attackers to send a malicious XML payload to an endpoint residing in this component which will be deserialized by Java XMLDecoder into Java objects. This is the fourth time researchers are finding their way around Oracle attempts to patch such vulnerabilities in this specific component - CVE-2017-3506, CVE-2017-10271, CVE-2019-2725 and now CVE-2019-2729. In each of the previously patched vulnerabilities Oracle’s approach was to use a blacklist approach – searching for certain XML tags in the received XML document that could allow attackers to execute code. The exploitation of this vulnerability is targeting older JDK version (1.6) where the implementation of XMLDecoder is slightly different. In order to avoid using the “class” tag, which was blacklisted by Oracle in the recent patch, attackers could take advantage of the fact that older versions of XMLDecoder support the “method” attribute for a tag. Now all the attacker needs to do is passing an “array” tag with a “method” attribute containing the “forName” method, which returns a Class object for a given name, thus making it equivalent to directly passing “class” tag as in the original exploit. Figure 1: CVE-2019-2725 exploit payload compared to CVE-2019-2729 Mitigating the vulnerability with BIG-IP ASM As the exploitation of the vulnerability relies on the same Java deserialization gadgets as were used in the exploitation of CVE-2019-2725 BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Figure 2: Exploitation attempt detected by signature id 200004756 Additional References https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15 https://meterpreter.org/weblogic-rce-vulnerability-cve-2019-2725-patch-bypassed/Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)
In October 2017 Oracle have published a vulnerability concerning Oracle WebLogic and assigned CVE-2017-10271 to it. Since then no public information regarding this vulnerability was availableuntil a few days ago, when an analysis of the vulnerability and a Proof-of-Concept exploit were published. The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic. Attackers may send a crafted XML document to the aforementioned web service which will cause WebLogic to deserialize it and consequently allow an attacker to construct arbitraryJava objects and invoke their methods resulting inremote code execution. Figure 1: Part of the request exploiting the vulnerability. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by an existing Javacode injection attack signature (200004174) which can be found in signature sets that include “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Figure 2: Exploitation attempt blocked by signature id 200004174. We will be also releasing a dedicated signature in the upcoming ASM Security Update.
