[Alert] WebLogic Java Deserialization Vulnerability (CVE-2018-3245)

  • Source:SANGFOR Security Center
  • Date Published:2018-10-24
#

Summary

Definition From Encyclopedia

WebLogic is an application server, or a JAVAEE-based middleware components provided by Oracle Corporation.It is used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.

WebLogic Server is based on Java 2 Platform, Enterprise Edition (J2EE), the standard platform used to create Java-based multi-tier enterprise applications. It is the first commercialized application server for building and deploying enterprise Java EE applications in a robust, secure, highly available and scalable environment.

Summary

This vulnerability is blamed to WebLogic T3 service, a service that is enabled by default for applications having WebLogic web-access port open. According to the statistics, there are more than 35,382 assets having WebLogic service open to the Internet globally. Those located in China are up to 10,562, as shown in the following figure.

图片1.png The Oracle WebLogic server is affected by a remote code execution vulnerability in its components due to unsafe deserialization of Java objects by the RMI registry.  Unauthenticated attackers may encapsulate payload and transmit it via T3 protocol. Through deserialization of payload in T3 protocol, attackers may launch remote attacks against vulnerable WebLogic component to execute arbitrary code and gain all permissions of target system.

Vulnerability Reproduction

Prerequisites:

1. Use WebLogic Service in any of the following versions: Oracle WebLogic Server10.3.6.0, Oracle WebLogic Server12.2.1.3, Oracle WebLogic Server12.1.3.0

2. Open WebLogic service port to outside network

3. Open T3 protocol to outside network

Based on these three prerequisites, we have built an environment using WebLogic Server 10.3.6.0,

图片2.png and CVE-2018-3245 vulnerability is discovered in this environment.

图片3.png Affected Versions

Oracle WebLogic Server10.3.6.0,

Oracle WebLogic Server12.2.1.3,

Oracle WebLogic Server12.1.3.0

Solution

Remediation Solution

Oracle has officially released the October Critical Patch Updates to fix this vulnerability.

 (Click on the link  https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html  to learn more).

For affected and licensed users, please go to https://support.oracle.com and log in with your licensed account to download the patch updates.

Solution

Reject T3 connection request from outside the Intranet

Steps:

图片4.png

Click Security > Filter, in the Connection Filter field on the page and enter  

security.net.ConnectionFilterImpl

Then, in the Connection Filter Rules filed, enter

127.0.0.1 * * allow t3 t3s,0.0.0.0/0 * * deny t3 t3s

Click Save to save the changes and restart the server to apply changes.

Sangfor Solution

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply turn on the corresponding security protection feature.