Oracle WebLogic affected by "highly critical" zero-day flaw

The flaw affects all versions of WebLogic, according to security specialists Knownsec 404

Security researchers have discovered a "highly critical", unpatched zero-day flaw in Oracle WebLogic server.

According to researchers from Knownsec 404, the vulnerability allows hackers to hijack servers, conduct remote execution and send arbitrary commands.

The flaw, known as "CNVD-C-2019-48814", affects all versions of WebLogic, including the latest update, when the wls9_async_response.war and wls-wsat.war are enabled.

Oracle's WebLogic is a Java-based tool that enables users to develop and deploy multi-tier enterprise applications through the cloud.

"Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability," wrote the researchers in a blog post.

Cyber criminals are able to exploit this vulnerability without any authorisation and by putting together a malicious HTTP request.

The Chinese National Information Security Vulnerability Sharing Platform (CNVD) described how the flaw works: "Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization."

Although it's unknown how many users may have been affected by the vulnerability, figures from Zoomeye show that there are currently more than 36,000 WebLogic servers on the internet.

Speaking about the potential impact of the flaw, the researchers said: "ZoomEye is a famous cyberspace search engine and have 101,040 results about Oracle WebLogic server, there are 36,173 results on 2019. Most of them are distributed in the US and China."

Despite alerting an Oracle official of the flaw, the researchers said they did not release a corresponding fix by the time their alert was issued.

Oracle typically releases security updates every three months as part of its Critical Patch service, so it may be some time before the firm addresses this issue.

However, Knownsec 404 has provided two temporary solutions: