[Alert] WebLogic Deserialization Vulnerability CVE-2018-2893
- Source:SANGFOR Security Center
- Date Published:2018-07-25
Definition From Encyclopedia
WebLogic is an application server, or a JAVAEE-based intermediate components provided by Oracle used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.
Manage large-scale websites have employed Java and Java Enterprise. Weblogic is one of the mainstream Java (J2EE) application servers, commercialized J2EE application server, boasting high scalability, flexibility and reliability.
This vulnerability is blamed to WebLogic T3 service, a service that is enabled by default for applications having WebLogic web-access port open. According to the statistics, there are more than 35,382 assets having WebLogic service open to the Internet globally. Those located in China are up to 10,562, as shown in the figure below:
Attackers used java.rmi.activation.Activator to replace java.rmi.registry.Registry and therefore evaded the check on API rmi by resolveProxyClass. The cause of deserialization remote code execution is that resolveProxyClass function can be evaded by attackers who use UnicastRes to set up TCP connections with remote server and then gain RMI registry that are later parsed by redObject. Attackers made use of encapsulation of JRMPClient-generated payloadObject in ysoserial tool to evade the function, as StreamMessageImpl is not checked by resolveProxyClass during deserialization process.
The following are screenshots of encapsulated streamMessageImpl and JRMPClient respectively.
Oracle WebLogic Server10.3.6.0
Oracle WebLogic Server184.108.40.206
Oracle WebLogic Server220.127.116.11
Oracle WebLogic Server18.104.22.168
Install the critical CPU updates published on Oracle official site: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html (license and account required, login here: https://support.oracle.com)
2. Quick solution
Restrain T3 service
Select Security > Filter and find the specific filter and type in:
then type in the rule:
127.0.0.1 * * allow t3 t3s，0.0.0.0/0 * * deny t3 t3s
Save the changes and restart the server to have the changes take effect.
Sangfor has found and updated the cloud engine since its outbreak and is capable of protecting customer’s networks against attacks. If you have no idea whether your business systems have such a vulnerability, you may apply for 30-day free trial of Sangfor’s Cloud security service.
Keep your Sangfor NGAF up to date and turn on the corresponding protection.