An unauthenticated remote code execution vulnerability (CVE-2019-2725) has been discovered in Oracle WebLogic Server. This vulnerability is remotely exploitable without authentication. Exploit code has been released into the public domain, and Alert Logic® has observed active attacks by malicious actors.
You may be affected if you run version 10.3.6.0.0 or 126.96.36.199.0 or below of Oracle WebLogic Server. Oracle has released a patch to mitigate this threat.
Customers who run the Alert Logic inline web application firewall in Protect mode are protected from this vulnerability, as attacks exploiting this vulnerability will be blocked. However, we recommend applying the patch released by Oracle as soon as possible due to the critical nature of this threat.
This vector allows attackers to remotely control victim hosts and execute code, install persistence, and laterally move throughout the network. The vulnerability lies in the asynchronous communication services for WebLogic Server, which is included by default in some versions. A flawed implementation in deserializing input information means an attacker can send a carefully constructed malicious HTTP request to execute commands remotely and without authorization.
Alert Logic Coverage
Network IDS: Alert Logic released signatures to detect exploitation of this threat on April 26, 2019. Alert Logic security analysts are actively working to evaluate instances of potential success.
Web Application: Existing Alert Logic web application coverage will detect attacks targeted at exploiting CVE-2019-2725. If the Alert Logic inline web application firewall is in Protect mode, it will also block these attacks.
Vulnerability Scanning: Alert Logic has released vulnerability scan coverage to identify vulnerable assets.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
Per a security alert released by Oracle, it is strongly recommended that customers apply updates provided by Oracle as soon as possible.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
04/30/2019: Vulnerability scan coverage is now available to identify vulnerable assets.