DETECTION OVERVIEW

Oracle WebLogic Deserialization Exploit Attempt - [Multiple CVEs]

Risk Factors

An unauthorized attacker can exploit an unpatched version of an Oracle WebLogic application server and run arbitrary commands. An attacker could also gain complete control of a device, providing an entry point for further attacks on your network.

Kill Chain

Exploitation

Risk Score

Attack Background

Oracle WebLogic is a Java application server. An attacker with network access or control of a malicious application server can run arbitrary commands remotely through an Oracle WebLogic Server without user credentials. First, the attacker serializes an arbitrary command or malicious payload and embeds it in a SOAP message. Then the attacker encapsulates the SOAP message in an HTTP POST request and sends the request to the WebLogic Server. Depending on the objective, the attacker can establish a shell session, install cryptocurrency mining software, or install ransomware.

Mitigation Options

Install relevant patches for the affected software versions

Restrict access to /_async/* and /wls-wsat/* paths if you cannot install the patch

Delete wls9_async_response.war and wls-wsat.war, then restart the WebLogic service

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases