ALERT: Plan to update ASAP for critical vulnerability in Oracle WebLogic
Friday, April 26, 2019
This information was sent via email to U-M IT staff groups on April 26, 2019. It is intended for U-M IT staff who are responsible for Oracle WebLogic application servers. Oracle WebLogic is an application server used for building and hosting Java-EE applications.
Summary
A highly critical vulnerability has been discovered in Oracle WebLogic application servers running the WLS9_ASYNC and WLS-WSAT components. Oracle WebLogic is an application server used for building and hosting Java-EE applications. This remote code execution vulnerability is exploitable without authentication, and attackers are actively exploiting it in the wild. Server administrators should apply updates as soon as they are available. In the meantime, server administrators can remove the WLS9_ASYNC and WLS-WSAT components or implement temporary work-arounds to prevent requests being made to two URL paths exploited by the attacks.
Problem
Successful exploitation of this vulnerability could result in remote code execution within the context of the application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Threats
This remote code execution vulnerability is exploitable without authentication, and attackers are actively exploiting it in the wild. Exploitation of the vulnerability in the two components can trigger the deserialization of malicious code that allows a hacker to take over the targeted system.
Affected Versions
All versions of Oracle WebLogic with WLS9_ASYNC and WLS-WSAT components enabled.
Action Items
Implement work-arounds until updates are available:
- Remove the the WLS9_ASYNC and WLS-WSAT components and restart your WebLogic servers
OR - Implement work-arounds to prevent requests being made to two URL paths exploited by the attacks ( /_async/* and /wls-wsat/*).
Apply updates as soon as they are available:
- Due to the severity of this vulnerability, Oracle strongly recommends that customers apply updates as soon as possible.
- Oracle updates could be available as soon as Monday, April 29, but Oracle has not yet announced a specific release date.
Technical Details
A vulnerability has been discovered in Oracle WebLogic that could allow for remote code execution. This vulnerability exists within the WLS9_ASYNC and WLS-WSAT components of WebLogic, which can allow for deserialization of malicious code. An unauthenticated attacker can exploit this issue by sending specially crafted malicious HTTP requests to the affected application. Successful exploitation of this vulnerability could allow for remote code execution with elevated privileges.
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA is working closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. We have confirmed that ITS-managed PeopleSoft systems are not affected by this vulnerability.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
This vulnerability only affects servers (Oracle WebLogic application servers). It does not affect personal computers, workstations, laptops, and mobile devices. Users do not need to take any action because of this vulnerability.
References
- Oracle Security Alert Advisory - CVE-2019-2725 (Oracle, 4/26/90)
- Oracle WebLogic affected by "highly critical" Zero-Day flaw (Computing,4/26/19)
- New Oracle WebLogic zero-day discovered in the wild (ZDNet, 4/25/19)
- 'Highly Critical' Unpatched Zero-Day Flaw Discovered In Oracle WebLogic (The Hacker News, 4/25/19)
- Researchers flag new Oracle WebLogic zero-day RCE flaw (Help Net Security, 4/25/19)
- Unpatched Vulnerability Alert - WebLogic Zero Day (SANS ISC InfoSec Forums, 4/25/19)
- Zero-Day Vulnerability in Oracle WebLogic Servers (Information Security Newspaper, 4/25/19)