Aperçu
Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0 contain an unauthenticated remote code execution vulnerability in Web Services due to insufficient access controls. This critical vulnerability allows attackers to execute arbitrary code on affected systems without authentication, requiring only network access via HTTP. La vulnérabilité a été divulguée le April 26, 2019. CISA a identifié CVE-2019-2725 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Oracle WebLogic Server contains a critical vulnerability in its Web Services component that allows unauthenticated remote code execution. The vulnerability exists in the async Web Services handler, which improperly deserializes untrusted data. An attacker can exploit this by sending a crafted HTTP request to the WebLogic Server, bypassing authentication mechanisms and executing arbitrary code with the privileges of the WebLogic Server process. The vulnerability stems from unsafe deserialization of Java objects in the T3 protocol and related WebServices endpoints.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) , CWE-276 (Incorrect Default Permissions) etCWE-284 (Improper Access Control) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated attacker can execute arbitrary code on the affected WebLogic Server with the same privileges as the WebLogic process. This allows complete compromise of the server, including data theft, system manipulation, installation of malware/backdoors, lateral movement within the network, and denial of service. Given the critical nature and ease of exploitation (no authentication required, low complexity), this vulnerability poses severe risks to organizations running vulnerable versions.
Mitigation et contournements
Apply Oracle Critical Patch Update (CPU) released April 16, 2019 or later. Download the appropriate patch from Oracle's support portal based on your WebLogic Server version. Follow Oracle's patching procedures for WebLogic Server, which typically involve: 1) Backup current WebLogic installation, 2) Download and extract patch, 3) Run patch installation script, 4) Restart WebLogic servers. Les versions suivantes incluent les correctifs nécessaires : Oracle WebLogic Server 10.3.6.0.1 or later, Oracle WebLogic Server 12.1.3.0.1 or later, Oracle WebLogic Server 12.2.1.3 or later, Oracle WebLogic Server 14.1.1 or later.
Comme contournements temporaires : disable web services if not required by your application; restrict network access to weblogic server ports (default 7001/7002) using firewall rules, limiting access to trusted networks only; deploy weblogic server behind a reverse proxy or waf with strict access controls, et disable the vulnerable async web services handler if feasible.
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
