Oracle WebLogic Deserialization Vulnerability : CVE-2018-2628

A deserialization vulnerability was discovered in Oracle WebLogic server’s core components. Upon successful exploitation an attacker can take control of the target server. The exploit targets the server by sending a custom serialized object using T3 protocol and achieves remote arbitrary code execution. T3 and T3S(T3 over TLS) protocol is used to exchange data between the server and java virtual machines. The issue affects versions,,, CVE-2018-2628 has been assigned to track this vulnerability. Oracle has addressed this issue in CPUAPR2018.

As mentioned in the previous section CVE-2018-2628 is a java object deserialization vulnerability that can lead to remote code execution and target take over. The is issue occurs due to improper handling of a serialized RemoteObjectInvocationHandler object. @pyn3rd has claimed that the patch for CVE-2018-2628 is incomplete and can be bypassed easily. Please note that Oracle has not yet commented on the issue.

Oracle has addressed CVE-2018-2628 in Oracle Critical Patch Update Advisory for April 2018. Please apply the latest patches as directed by the advisory. Qualys customer can scan their network using QID: 87333 to detect vulnerable targets. If patching cannot be done immediately then administrators can limit access via T3 protocol as temporary mitigation.

Patch Bypass: Qualys has released QID: 370914 to address CVE-2018-2628 patch bypass. The QID flags if any of the patch IDs listed below are present on the target machine.

  • WebLogic Server – Patch 27342434
  • WebLogic Server – Patch 27338939
  • WebLogic Server – Patch 27419391
  • WebLogic Server – Patch 27395085

Please continue to follow Qualys Threat Protection for more coverage on the vulnerability.

CVE-2018-2628 Simple Reproduction and Analysis
Oracle Critical Patch Update Advisory – April 2018

Leave a Reply

Your email address will not be published. Required fields are marked *