I. Overview

Recently, a deserialization remote code execution vulnerability in the Oracle WebLogic wls9-async component (CNVD-C-2019-48814) was released by China National Vulnerability Database (CNVD). Attackers can exploit this vulnerability to execute arbitrary code remotely without permission. By April 27, Oracle has released a security notice on and patch for this vulnerability (CVE-2019-2725).

HUAWEI CLOUD hereby reminds tenants to implement system check and security hardening.

Reference links:

http://www.cnvd.org.cn/webinfo/show/4999

https://support.oracle.com/rs?type=doc&id=2535708.1

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Oracle WebLogic Server 10.X

Oracle WebLogic Server 12.1.3

IV: Workarounds

The official patch is available at: https://support.oracle.com/rs?type=doc&id=2535708.1

Other workarounds:

Affected tenants can also use either of the following workarounds for security hardening, as long as their business would not be interrupted:

1. Search for and delete the affected components, wls9_async_response.war and wls-wsat.war, and restart the WebLogic service.

2. Enable access control to block the requests from URLs containing /_async/* or /wls-wsat/*. Currently, Precise Protection provided by HUAWEI CLOUD WAF can defend against attacks exploiting this vulnerability.