Oracle WebLogic Server versions 10.3.6.0, 220.127.116.11, 18.104.22.168, and 22.214.171.124 contain a deserialization vulnerability that can be remotely exploited by unauthenticated attackers via the T3 protocol. Gadgets embedded within serialized WebLogic ClassTableEntry Objects are deserialized due to insufficient filtering.
- The attacker sends a serialized Java object to the vulnerable server. When deserialized, the object will make a Remote Method Invocation (RMI) request to a server controlled by the attacker.
- An attacker may send a serialized Java object that will execute a payload when deserialized, skipping stage 3 and 4.
- The vulnerable server deserializes and executes the Java object in turn, sending an RMI request to invoke a method on a server controlled by the attacker.
- The method executed on the attacker-controlled server returns a gadget as Java serialized block data that will execute the attacker’s payload when deserialized by the garbage collector.
- The vulnerable server replies to the attacker with an error and stack trace showing a casting error as the result of successful deserialization and exploitation.
The attacker must have remote access to the WLS administration console. Additionally, attackers do not require authentication.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.