April 26, 2019

April 26, 2019 | Phil Etherton | Director, Security Services

Last night, we alerted customers regarding a Zero-Day vulnerability. This blog post discusses the vulnerability, shares our solution, and highlights our process and philosophy towards these types of critical vulnerabilities and exposures (CVEs). 

The Remote Code Vulnerability CNVD-C-2019-48814 

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation. It is used by numerous applications and on the web. On April 24, Security Affairs reported a dangerous zero-day remote code vulnerability [https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.htmlthat affects the Oracle WebLogic service platform 

“This zero-day flaw affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled. 

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw received the identifier CNVD-C-2019-48814. 

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.” 

This zero-day flaw affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled. Eliminating the Issue Prior to Patch Release 

Oracle and SAP patches and updates can arrive belatedly, even with potentially dangerous vulnerabilities, resulting in an undesirable window of opportunity for attackers to take advantage of the now reported CVE.  

The compensating solution for our customers, as advised by experts, is to either: 

  1. Disable vulnerable modules “wls9_async_response.war” and “wls-wsat.war”, or 
  2. Inhibit access to URLs “/ _async / * “and” / wls-wsat / * “within Oracle WebLogic installs.” 

We advise customers to please take caution and make the changes to lower environments and test to ensure no impacts to production.  

Spinnaker Support’s Security Solution and Philosophy 

The solution listed above and our proactive process for alerting customers exemplifies our commitment to their security needs. In accordance with our Seven-Point Security Solution, we actively monitor security activity and determine whether customers should be alerted via a periodic CVE bulletin or a case-by-case alert and solution. 

Spinnaker Support always prioritizes the security needs of our customers, providing coverage through our established processes, security software products, and global team of security experts. At any time, if you are concerned about a specific CVE or threat, we encourage you to open a support ticket, to which we respond in 15 minutes or less.  

Learn more about our security and vulnerability services, philosophy and solution, and see why 98% of customers who are concerned with application and database protection report improved or unchanged security risk when switching to Spinnaker Support.