High
CVE-2019-2725
CVE-2019-2725
Description
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Technical Analysis
CVE-2019-2725 (aka CNVD-C 2019-48814) exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.
According to the vendor, Oracle WebLogic Server v10.3.6.0 and 12.1.3.0 are affected.
In addition to a public proof-of-concept, a Metasploit module has been published to allow for exploitation of Windows, Linux, and Unix hosts. It has been successfully tested on v10.3.6.0, and exploitation failed against 12.2.1.2.
CVSS V3 Severity and Metrics
General Information
Vendors
- oracle
Products
- agile plm 9.3.3,
- agile plm 9.3.4,
- agile plm 9.3.5,
- communications converged application server 5.1,
- communications converged application server 7.0,
- communications converged application server 7.1,
- peoplesoft enterprise peopletools 8.56,
- peoplesoft enterprise peopletools 8.57,
- peoplesoft enterprise peopletools 8.58,
- storagetek tape analytics sw tool 2.3,
- tape library acsls 8.5,
- tape virtual storage manager gui 6.2,
- vm virtualbox,
- vm virtualbox 5.2.36,
- weblogic server 10.3.6.0.0,
- weblogic server 12.1.3.0.0
Metasploit Modules
Exploited in the Wild
References
Miscellaneous
