junho 30, 2020
Deserialization vulnerabilities are still frequently exploited for web attacks and special attention should be paid to the security of mainstream frameworks.
This section describes web vulnerabilities that had an extensive impact in 2019:
In 2017, Oracle released an official patch that fixed the XMLDecoder vulnerability (CVE-2017-10352) in WebLogic Server. This patch was evaded twice by exploits targeting two vulnerabilities (CVE-2019-2725 and CVE-2019-2729), sparking new rounds of WebLogic-targeting attacks. The two vulnerabilities reside in components built in WebLogic and could be exploited without authentication. With carefully crafted XML data in the SOAP format, an attacker could trigger the two vulnerabilities via an HTTP request. The two vulnerabilities, due to the high exploitability, are favored by hacking groups. According to statistics, after Oracle released the official security patch in April, the proof of concept (PoC) of the vulnerability (CVE-2019-2725) was publically available, encouraging a marked increase in attacks against WebLogic. Later, researchers discovered that the security patch was circumvented by an exploit (CVE-2019-2729). Obviously, the official remediation did not work, resulting in attacks reaching the culmination in May.(mais…)