Oracle WebLogic Server Deserialization Remote Command Execution Vulnerability

Oracle WebLogic Server is prone to a remote command-execution vulnerability.

Attackers can exploit this issue to execute an arbitrary command within the context of a user running the affected application. Failed exploit attempts may result in a denial-of-service condition.
Oracle WebLogic Server 10.x and 12.1.3 are vulnerable.

Information

Bugtraq ID: 108074
Class: Serialization Error
CVE:
Remote: Yes
Local: No
Published: Apr 25 2019 12:00AM
Updated: Apr 25 2019 12:00AM
Credit: KnownSec 404
Vulnerable: Oracle Weblogic Server 12.1.3
Oracle Weblogic Server 10.3.6 0
Oracle Weblogic Server 10.3.3
Oracle Weblogic Server 10.3.2
Oracle Weblogic Server 10.3.1
Oracle Weblogic Server 10.3.6.0.0
Oracle Weblogic Server 10.3.5.0
Oracle Weblogic Server 10.3.4
Oracle Weblogic Server 10.3
Oracle Weblogic Server 10.1
Oracle Weblogic Server 10.0.2
Oracle Weblogic Server 10.0 MP2
Oracle Weblogic Server 10.0 MP1
Oracle Weblogic Server 10

Not Vulnerable:

Exploit

Reports indicate that this issue is being exploited in the wild.
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• [KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Ale (Medium)
  
• CNVD-C-2019-48814 (Github)
  
• New Oracle WebLogic zero-day discovered in the wild (CBS Interactive)
  
• Oracle Homepage (Oracle)
  
• Oracle Weblogic Server Home Page (Oracle)
  
• Security Bulletin for Deserialized Remote Command Execution Vulnerabilities in O (National Computer Network Emergency Technology Processing Coordination Center)
  

Source: www.securityfocus.com