By: Sivathmican Sivakumaran (Vulnerability Researcher)
Oracle WebLogic has recently disclosed and patched remote-code-execution (RCE) vulnerabilities in its software, many of which were due to insecure deserialization. Oracle addressed the most recent vulnerability, CVE-2019-2729, in an out-of-band security patch on June 18, 2019. CVE-2019-2729 was assigned a CVSS score of 9.8, making it a critical vulnerability. This vulnerability is relatively easily exploitable, but requires Java Development Kit (JDK) 1.6. By default, WebLogic version 10.3.6 is shipped with JDK 1.6.
CVE-2019-2729 is essentially a bypass to CVE-2019-2725. This security issue, however, first surfaced in April 24 2017 as CVE-2017-3506. We took a closer look at CVE-2019-2729 to see how this class of vulnerability has been remediated — particularly via blacklisting or whitelisting — and why it has become a recurring security issue.
The Root Cause of CVE-2019-2725 and CVE-2019-2729 Context propagation in WebLogic servers makes it possible to carry application context information within a supported protocol. This information is carried via extensible markup language-serialized Java (XML) Objects. By default, the following URLs accepts context information via simple object access protocol (SOAP) requests:/_async/*/wls-wsat/*
The serialized XML data is contained within tags of a SOAP request. The deserialization of the WorkContext information is implemented in the WorkContextXmlInputAdapter class, as shown in Figure 1.
Figure 1. The WorkContextXmlInputAdapter class where the deserialization of WorkContext information is implemented
As shown above, t ..
Support the originator by clicking the read the rest link below.
 in Oracle WebLogic){kind=link}