WebLogic Zero Day - Deserialization Vulnerabilities

On April 25, 2019 security researchers from KnownSec 404 discovered a zero-day vulnerability affecting versions 10.3.6.0 and 12.1.3.0 of Oracle’s popular WebLogic application (CVE-2019-2725). Oracle WebLogic is an application used to deploy enterprise Java EE applications, and it is common to see this application outwardly facing to the internet. The vulnerability resides within the wls9_async_response.war and wls-wsat.war components of WebLogic. These components are insecure due to a critical deserialization vulnerability that can be used to trigger remote code execution on an affected host. Remote code execution caused by this vulnerability can be performed by an attacker without prior authentication to the application. This means that all internet-facing and unpatched instances of Oracle WebLogic are vulnerable to attack. Since the announcement of this vulnerability, it has been actively exploited across the internet and is even being used to spread ransomware. Whenever powerful new vulnerabilities emerge, it is common to find new strains of malware developed specifically to work in conjunction with them. This WebLogic zero day has spawned a new piece of ransomware called Sodinokibi, which utilizes PowerShell to download and run the ransomware executable after the initial WebLogic exploit executes. Additionally, a new variation of the Muhstik botnet which performs DDoS and cryptojacking attacks has been identified in the wild, living off of vulnerable WebLogic servers. The severity of this vulnerability is amplified by the number of WebLogic applications that are exposed to the internet and could potentially be vulnerable. According to Zoomeye.org there were over 36,000 internet facing WebLogic servers at the time this vulnerability was announced, and almost a month later there are still over 32,000 WebLogic servers. If your organization uses hosts application on WebLogic, whether public or internal, it is highly advised to apply the appropriate patch as soon as possible. Given the long history of deserialization vulnerabilities in Java-based platforms including Oracle WebLogic, a long-term solution would be to develop and implement vulnerability and patch management processes specific to Oracle WebLogic and similar technologies. For more information, questions about this article, or inquiries about OCD Tech services, please contact us.

WebLogic Zero Day – Mr. Smith’s Hacker Insights

Recommended Mitigations

About Matthew Smith

Find us on

WebLogic Zero Day – Mr. Smith’s Hacker Insights

Recommended Mitigations

About Matthew Smith

You also might be interested in

Kerberoasting – Mr. Smith’s Hacker Insights

Top 5 Vulnerability Assessment Observations

Scraping Social Security Numbers on the Web

Find us on