Cybersecurity researchers on Friday published a post-warning enterprises of an unpatched, extremely serious zero-day flaw in Oracle WebLogic server application that some intruders might already have started misusing in the wild.
Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that enables companies to swiftly arrange new products and services on the cloud. It’s prevalent across both, cloud environment and traditional environments.
Oracle WebLogic application allegedly comprises a serious deserialization distant code execution susceptibility that moves all versions of the software, which can be activated if the “wls9_async_response.war” and “wls-wsat.war” components are enabled.
The flaw, marked by the investigators from KnownSec 404, enables attackers to distantly perform random commands on the affected servers just by sending a particularly fashioned HTTP request—without requiring any authorization.
“Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization,” explains Chinese National Information Security Vulnerability Sharing Platform (CNVD).
The researchers also shared details of the zero-day vulnerability, tracked as CNVD-C-2019-48814, with the Oracle’s team, but the company has not yet released a patch. The affected Oracle WebLogic versions are as follows:
- WebLogic 10.X
- WebLogic 12.1.3
According to the ZoomEye cyberspace search engine, more than 36,000 WebLogic servers are publicly accessible on the Internet, though it’s unknown how many of these have the vulnerable components enabled.
A maximum number of Oracle WebLogic servers are deployed in the United States and China, with a lesser number in Iran, Germany, India, and so on.
Since Oracle releases security updates every three months and had already released a Critical Patch Update just this month, this zero-day issue is unlikely to be patched anytime soon (i.e., not before July), unless the company decides to roll out an out-of-band security update.
So, until the company releases an update to patch the susceptibility, server administrators are highly suggested to avert their systems from misuse by changing either of the two following settings:
- Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or
- Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.
Since Oracle WebLogic servers are an often target of assailants, there will be no amazement if attackers have already started exploiting this zero-day and then use weak servers for their wicked purposes.