Oracle WebLogic Found to be Extremely Vulnerable to Unpatched Zero-Day Exploit

Updated on: 5 May 2019
Updated on: 5 May 2019

Oracle WebLogic is a multi-tier enterprise application server based on Java which makes it possible for companies and businesses to upload services or products on the cloud. All this is done on the fly, without the need to go through other intermediaries.

This is why the application has become largely popular and useful on both the cloud cyber-world and other conventional fields of use.

Recently, a few security specialists discovered a highly dangerous zero-day vulnerability in the Oracle WebLogic server. What makes this incredibly threatening is that hackers could use this exploit simply by enabling the “wls9_async_response.war” and the “wls-wsat.war” components.

The main cause for this security system’s weakness is a serious deserialization vulnerability acting at the level of the remote code execution. Moreover, this is true for all versions of the Oracle WebLogic software.

This exploit was discovered by the cybersecurity specialists from KnownSec 404. They’ve said that an official fix still wasn’t released when they officially came out with the vulnerability.

Any hacker could use this weakness to execute commands without having the proper authorization.

1. What are the implications?

This is incredibly harmful and the potential that can be harnessed from this zero-day vulnerability doesn’t seem to have any limits. The disaster that could ensue would cripple companies using the Oracle WebLogic application.

It would leave them on the brink of collapse, with their data and confidential information at the mercy of anyone smart enough to realize the potential of this exploit.

The Chinese National Information Vulnerability Sharing Platform (CNVD) said that “Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization.”

The Oracle WebLogic app versions that are affected by this zero-day vulnerability are as follow:

  • WebLogic 10.X
  • WebLogic 12.1.3

Officially registered as CNVD-C-2019-48814 by KnownSec 404’s team of experts, the exploit has still to be addressed by Oracle’s security specialists.

According to ZoomEye, the popular cyberspace search engine, there are more than 101,040 results on the Oracle WebLogic servers, with more than 36,173 results in 2019 alone.

The majority of these results come from the US and China, and it’s not as surprising as it seems. Many hacking groups are active in these regions, and most attacks happen here as well.

A few of these results also originate from India, Germany, Iran, France, Canada, the Republic of Korea, and so on.

2. When is a patch going to be issued?

Not too soon, unfortunately. Oracle has only recently released a Critical Patch Update in April and considering that their patching policy is based on a 3-month system, this zero-day exploit won’t be solved as quickly.

That is unless Oracle does the unthinkable and goes over its own policies to release a patch ahead of time. Which they should. As soon as possible even.

However, you can still take the appropriate protection measures in order to prevent anything bad from happening. The guys from KnownSec 404 released two temporary solutions:

  • Find and delete wls9_async_response.war and wls-wsat.war. After that, restart the WebLogic service
  • Control the URL access for the / _async/* and /wls-wsat/* paths by accessing the policy control

Try any one of these solutions or even both of them if you want extra guarantees.

The fact is, until a proper official patch is released, the risks will be ever-present, and no one will be safe. Hackers could very easily access the vulnerable servers through this zero-day exploit.

What they could do with all that power isn’t all that open to debate or left to be pondered. Cyber-attacks are only ever made from a couple of reasons. Either the hackers want to make a statement, publicize their strong opposition of a certain idea or event or they’re acting from selfish reasons.

In other words, either they want to leak important data belonging to certain individuals or companies, out of a need to gain notoriety or uncover some dirty secrets, or they want to make money.

The black market is chock-full of personally-identifiable information packages supplied by skillful hackers, and whoever wants to buy them, they can do so without a second thought.

Just like how the notorious Shadow Brokers leaked NSA’s malware programs in 2017, leading up to numerous hacking attacks, the Oracle WebLogic zero-day vulnerability could mark the beginning of another streak of cyber-attacks.

If something isn’t done in due time, many heads will roll. And hackers generally don’t care in the slightest who gets hurt in the process. Losses are acceptable, and so is collateral damage. For them, it’s just a game. For the rest of us, it’s a deadly race against the clock.

KnownSec 404 has done enough. Not, it’s time for Oracle to step up and do the rest. Countless WebLogic users are counting on them to solve this issue before it degenerates into something much worse.

We’ll see what happens in the future and whether this is the start of a new series of cyber-attacks or just a near-death situation.

Written by: Alex Popa

Content writer and technology enthusiast. Alex discovered his love for writing not long ago, one that deepens with each written article. Tech subjects are right up his alley, and as he strives to perfect his craft, even more, his journey through the cyber-world leads to many interesting topics that he approaches with the skill and passion of an avid learner. He’s decided to put his ability to good use and share any digital novelties he comes across.

Leave a Reply

Notify of