A deserialization vulnerability was discovered in Oracle WebLogic server’s core components. Upon successful exploitation an attacker can take control of the target server. The exploit targets the server by sending a custom serialized object using T3 protocol and achieves remote arbitrary code execution. T3 and T3S(T3 over TLS) protocol is used to exchange data between the server and java virtual machines. The issue affects versions 10.3.6.0,12.1.3.0,12.2.1.2,12.2.1.3. CVE-2018-2628 has been assigned to track this vulnerability. Oracle has addressed this issue in CPUAPR2018.
Vulnerability
As mentioned in the previous section CVE-2018-2628 is a java object deserialization vulnerability that can lead to remote code execution and target take over. The is issue occurs due to improper handling of a serialized RemoteObjectInvocationHandler object. @pyn3rd has claimed that the patch for CVE-2018-2628 is incomplete and can be bypassed easily. Please note that Oracle has not yet commented on the issue.
Mitigation
Oracle has addressed CVE-2018-2628 in Oracle Critical Patch Update Advisory for April 2018. Please apply the latest patches as directed by the advisory. Qualys customer can scan their network using QID: 87333 to detect vulnerable targets. If patching cannot be done immediately then administrators can limit access via T3 protocol as temporary mitigation.
Patch Bypass: Qualys has released QID: 370914 to address CVE-2018-2628 patch bypass. The QID flags if any of the patch IDs listed below are present on the target machine.
- WebLogic Server 12.2.1.3 – Patch 27342434
- WebLogic Server 12.2.1.2 – Patch 27338939
- WebLogic Server 12.1.3.0 – Patch 27419391
- WebLogic Server 10.3.6.0 – Patch 27395085
Please continue to follow Qualys Threat Protection for more coverage on the vulnerability.
References
CVE-2018-2628 Simple Reproduction and Analysis
CVE-2019-2628
Oracle Critical Patch Update Advisory – April 2018