Shulou(Shulou.com)05/31 Report--

This article will explain in detail how the Oracle WebLogic XMLDecoder deserialization vulnerability analysis is carried out, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

I. Preface

Oracle Fusion Middleware (Oracle converged Middleware) is a set of business innovation platform for enterprise and cloud environment of Oracle. The platform provides middleware, software collection and other functions. Oracle WebLogic Server is one of the application server components suitable for cloud and traditional environments.

Wls-wast and wls9_async_response war packets are included by default in WebLogic. Because the above WAR packets use XMLDecoder deserialization mechanism to process the sent XML data, remote malicious attackers can remotely execute commands without authorization by sending carefully constructed HTTP requests to gain permissions of the target server. In other words, the attacker can directly obtain the permissions of the server system, carry out data theft, and even threaten the intranet security of the victim.

There are currently three vulnerabilities in Weblogic due to XMLDecoder deserialization of insecure data, the first is CVE-2017-3506 and the second is CVE-2017-10271. The data entry points for these two historical vulnerabilities are in the / wls-wsat/* directory. The third is CVE-2019-2725, which adds a / _ async/*. to the data entry point of this vulnerability.

Netteng CRS/ARS products have fully supported the detection and verification of this vulnerability, and Netteng users can log in to www.riskivy.com directly for verification.

Second, influence the version

Oracle WebLogic Server 10.x

Oracle WebLogic Server 12.1.3

Third, loophole harm

1. The existence of the wls9_async_response component can be determined by the access path / _ async/AsyncResponseServiceSoap12. If you return to the following page, please pay attention and take protective measures in time.

two。 The existence of the wls-wsat component can be determined by the access path / wls-wsat/CoordinatorPortType. This component exists if the following page is returned. Please pay attention to it and take protective measures in time.

IV. Fix solution 4.1 configure access control policy

Illegal users can be prohibited from accessing the following paths by configuring access control policies

/ wls-wsat/*/_async/*4.2 delete unsafe files

Delete the wls9_async_response.war and wls-wsat.war files and related folders and restart the Weblogic service. The specific file path is as follows:

Oracle WebLogic Server 10.3.x:\ Middleware\ wlserver_10.3\ server\ lib\% DOMAIN_HOME%\ servers\ AdminServer\ tmp\ _ WL_internal\% DOMAIN_HOME%\ servers\ AdminServer\ tmp\ .internal\ Oracle WebLogic Server 12.1.3:\ Middleware\ Oracle_Home\ oracle_common\ modules\% DOMAIN_HOME%\ servers\ AdminServer\ tmp\ .internal\ servers\ AdminServer\ tmp\ _ WL_internal\ 4.3 upgrade JDK version

This vulnerability bypass only works on JDK6, and the JDK version can be upgraded to JDK7 or above.

On how the Oracle WebLogic XMLDecoder deserialization vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.