[Updated] New WebLogic Zero-Day RCE Vulnerability

By April 24, 2019 May 22nd, 2019 Alerts, Legacy, Patching, Technical, Zero Day

WebLogic

[Update May 22, 2019]

Last month, we issued a security advisory to all Wararek customers regarding a critical vulnerability in Oracle’s WebLogic servers (CVE-2019-2725). Oracle issued a security alert strongly advising all customers apply the updates provided as soon as possible, listing affected version as 10.3.6.0, 12.1.3.0.

This updated communication is to advise that the Waratek research team has verified that older versions of WebLogic, not listed in the Oracle Security Alert, still contain the RCE vulnerability reported in CVE-2019-2725. We have tested and verified the presence of the vulnerability in at least 2 version previous to 10.3.6.0 and 12.1.3.0. Our remediation advice remains unchanged and WebLogic users should take steps to protect their systems. Waratek’s original remediation guidance is below for reference. Waratek customers can contact their account manager or info@waratek.com if they have any questions. 

[Update April 28, 2019]

Following up on Waratek’s guidance issued on April 24, 2019, Oracle has officially confirmed the zero-day deserialization remote command execution vulnerability originally reported publicly by researchers at KnownSec 404. This critical vulnerability (CVE-2019-2725 with CVSS score of 9.8) affects all WebLogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle issued a security alert on Friday, April 26, 2019 strongly advising all customers apply the updates provided by this Security Alert as soon as possible. The patch that Oracle’s Security Alert Program has made available is only provided for product versions that are covered under the Premier Support or Extended Support phases of Oracle’s Lifetime Support Policy.

Waratek advises all WebLogic users to be aware of the following points as they pertain Oracle’s available remediation for CVE-2019-2725:

  • Oracle’s patch is available only for certain support tiers, please see linked Oracle policy above.
  • The Oracle patch only fixes versions 10.3.6 or 12.1.3 of WebLogic; users on older versions must upgrade to apply the security alert patch for CVE-2019-2725
  • All servers must be current on the latest PSUs
Immediate Action is Necessary

It has been reported that this critical vulnerability is under active exploit, we urge all WebLogic users to take steps to remediate as soon as possible. It should also be noted that a successful attack could lead to a full compromise of the WebLogic server.

Waratek’s Customers Are Already Protected
  • Existing Waratek Secure and Waratek Enterprise customers who have enabled the deserial zero-day (CWE-502) rule in protect mode, are already protected. No further action is required.
  • Existing Waratek Patch customers who have enabled the Process Forking ARMR rule in protection mode, are already protected.
  • Waratek’s ARMR platform provides complete remediation to this zero-day critical vulnerability and therefore, Waratek customers do not have to apply Oracle’s hot fix for CVE-2019-2752 with urgency.
  • Non-Waratek customers who are affected by this Oracle WebLogic vulnerability and are interested in instant protection outside of Oracle’s support parameters, as well as those using inefficient solutions based on pattern matching and signatures, should contact Waratek at info@waratek.com.

[Original Guidance, posted April 24, 2019]

We’ve been alerted to a potential WebLogic zero-day from a credible source. According to the reports, Oracle WebLogic wls9_async and wls-wsat components trigger a deserialization remote command execution vulnerability. This vulnerability affects all WebLogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

At this point the vulnerability has not been fixed by the supplier.

Waratek Customer Advice

  • Existing Waratek Secure and Waratek Enterprise customers who have enabled the deserial zero-day (CWE-502) rule in protect mode, are already protected against this new zero-day. No further action is required.
  • Existing Waratek Patch customers who have enabled the Process Forking ARMR rule in protection mode, are already protected against this new zero-day.

Non-Waratek customers who are affected by this new Oracle WebLogic 0-day and are interested in instant protection without depending on the vendor’s patch availability, as well as those using inefficient solutions based on pattern matching and signatures, should contact Waratek at info@waratek.com.


About Waratek

Waratek is an award-winning pioneer in the next generation of application security solutions. Using patented runtime protection technology, Waratek makes it easy for teams to secure business critical applications and securely extend the life of their legacy applications. We provide some of the world’s largest brands with:

  • Instant patching of known software flaws with Runtime Virtual Patches
  • Protecting applications from known and unknown attack vectors such as the OWASP Top Ten and SANS Top 25
  • Virtually upgrading out-of-support Java applications and platforms to the most current version without rewriting the app
print
Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X