Oracle WebLogic zero-day discovered in the wild

Several application running Oracle WebLogic were detected by Nessus as having a vulnerable version (being exploited in the wild).

Impacted Versions: WebLogic 10.X, WebLogic 12.1.3

Resolution/ Workaround:
Oracle is working on the fix, below is the work around for the time being.

To prevent attacks, KnownSec 404 is recommending that companies either remove the vulnerable components and
restart their WebLogic servers, or put firewall rules in place to prevent requests being made to two URL
paths exploited by the attacks ( /_async/* and /wls-wsat/*).

Remove below 2 wars form installation and bounce the JVM’s with server tmp clean.

bea-wl1213/oracle_common/modules/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war
bea-wl1213/oracle_common/modules/com.oracle.webservices.wls.wsat-endpoints-impl_12.1.3.war

Update – Oracle has released the Patches

10.3.6.0

Jan PSU 10.3.6.0.190115 Patch 28710912 + Overlay Patch 29694149 on 10.3.6.0.190115 for CVE-2019-2725

Apr PSU 10.3.6.0.190416 Patch 29204678 + Overlay Patch 29694149 on 10.3.6.0.190416 for CVE-2019-2725

12.1.3.0

Jan 2019 PSU 12.1.3.0.190115 Patch 28710923 + Overlay Patch 29694149 on 12.1.3.0.190115 for CVE-2019-2725

Apr 2019 PSU 12.1.3.0.190416 Patch 29204657 + Overlay Patch 29694149 on 12.1.3.0.190416 for CVE-2019-2725