Several security companies have detected scans over the past week that look for Oracle WebLogic servers vulnerable to a flaw that hasn’t yet been patched, possibly in preparation for malicious attacks. The vulnerability is a deserialization bug that can lead to remote code execution, but it’s located in a specific package called wls9_async_response that’s not included by default in all WebLogic server builds. Therefore, attackers are likely running these probes to first identify servers with this component enabled that they can later attack.
The first to report the unpatched — zero-day — vulnerability were researchers from a China-based company called KnownSec. However, their post on Medium remained largely unnoticed until researchers from other companies like F5 Networks and Waratek also issued alerts.
According to an analysis by the SANS Internet Storm Center (ISC), this might not actually be an entirely new vulnerability, but a new method of bypassing protections put in place last year by Oracle for an older flaw. The CVE number for this is CVE-2018-2628, which was identified as patched last year, ISC handler Rob VandenBrink said in a blog post. “However, the POC [proof-of-concept exploit] mentioned was against a patched server, so I guess the patch isn’t complete – nor can it be given Oracle’s approach against this issue.”
In programming, serialization is the process of converting data to a binary format for safe transmission over the network. When an application receives such data, it converts it back into its original form — a process known as deserialization.
The parsing of untrusted user-controlled input has historically been one of the primary causes of vulnerabilities in applications and deserialization is not different because attackers can generate maliciously crafted serialized input to be processed by an application.
It seems that Oracle took a blacklist approach to fix this issue in the past, which relies on blocking potentially dangerous commands. However, vulnerability fixes that rely on blacklists are rarely permanent because attackers can find ways to bypass those restrictions, and this has happened with WebLogic fixes in the past.
Earlier this month, Oracle released its quarterly batch of security patches so another one is not expected for another three months. It’s not clear if the company plans to issue an out-of-band fix for this flaw and it hasn’t yet publicly confirmed the issue.
Oracle WebLogic is a Java application server and it’s used by many businesses to build and deploy enterprise applications. Its popularity and widespread use has made it a target in the past.
An older XML data deserialization vulnerability in Oracle WebLogic, tracked as CVE-2017-10271, has been used in the past to compromise enterprise servers and install cryptocurrency mining malware on them. However, the applications that typically run on these servers also contain business-sensitive data so such exploits could also result in serious data breaches.
According to SANS ISC, until a patch is released server administrators can either restrict access to the Z/_async/* and /wls-wsat/* paths on their servers or they can delete the wls9_async_response.war component.