Delaware, USA – April 26, 2019 – A zero-day vulnerability in Oracle WebLogic allows attackers to remotely execute arbitrary code and it is already used in the wild. The security flaw was discovered on Sunday by KnownSec 404’s researchers, they notified the developer, but so far there is no official response from Oracle. Judging by the fact that a quarterly security update was recently released, owners of vulnerable Oracle servers will have to wait until July. Researchers recorded scans in search of servers running the WLS9_ASYNC and WLS-WSAT components and discovered testing exploit on them. Vulnerability in these components triggers the deserialization of attackers’ code allowing them to take over the attacked server, however, the installation of backdoors or any other malware has not yet been spotted. Vulnerability possesses a threat to servers running WebLogic 10.x and 12.1.3, currently, there are more than 36,000 such servers, most of which are located in the United States and China.
To protect your servers against these attacks, experts recommend either deleting vulnerable components and restarting the servers, or setting firewall settings that prevent access for the /_async/* and /wls-wsat/* paths in Oracle WebLogic installations. PoC exploit for this vulnerability has not yet been published, we recall that last year after the publication of the exploit, a wave of attacks on servers began despite the fact that the necessary update was released. Since Oracle servers often play an important role in the infrastructure of organizations, so they are of interest to many cybercriminals. To minimize risks related to the usage of Oracle WebLogic servers, you can use your SIEM tool with the Web Application Security Framework rule pack, which helps to spot malicious activity: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight