Enterprise organizations have built much of their foundations on Oracle’s WebLogic servers. As ubiquitous as they are, it’s no wonder that they are often the target of sophisticated attacks aimed at harvesting sensitive data.
It’s no surprise that large companies were panicked when news of a zero-day vulnerability (CVE 2019-2725) was announced in WebLogic application servers. The remote execution vulnerability didn’t require authentication and could result in a complete system compromise. But while word spread about the new threat, hackers were already working on an exploit. The day after Oracle released a critical patch for its premium customers, WebLogic servers were already seeing their first ransomware attacks.
So, what exactly is this zero-day vulnerability and why has it been so attractive for attackers? For that, we need to take a look at serialization—or it’s darker side—deserialization.