I. Overview

Recently, a deserialization RCE vulnerability (CVE-2019-2725) in Oracle Weblogic Server is exposed. This vulnerability bypasses the latest patch of Oracle Weblogic Server. Unauthorized attackers may exploit this vulnerability to send malicious HTTP requests which are carefully crafted to get access to servers and execute remote command. No official patch is released, nor further details about the vulnerability is disclosed.

HUAWEI CLOUD hereby reminds tenants to implement system check and security hardening.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Oracle WebLogic Server 10.3.6

Oracle WebLogic Server 12.1.3

IV. Workarounds

Until now, Oracle has not released a patch to fix the vulnerability. Affected tenants can perform security hardening without interrupting services using either of the following workarounds:

1. Search for and delete the affected components, wls9_async_response.war and wls-wsat.war, and restart the WebLogic service.

2. Enable access control to block the requests from URLs containing /_async/* or /wls-wsat/*. Currently, Precise Protection provided by HUAWEI CLOUD WAF can defend against attacks exploiting this vulnerability.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test. Please follow the latest news about and official patches for this vulnerability as HUAWEI CLOUD will do.