A Vulnerability in Oracle WebLogic Could Allow for Remote Code Execution – 26th April 2019

Preface: On April 17, 2019, the National Information Security Vulnerability Sharing Platform (CNVD) recorded the Oracle WebLogic wls9-async deserialization remote command execution vulnerability reported by China Minsheng Banking Co., Ltd.

Synopsis: There are reports of this vulnerability being actively exploited in the wild in April 2019.

Vulnerability details:
CVE-2019-2725 – A vulnerability has been discovered in the Oracle WebLogic components (WLS9_ASYNC and WLS-WSAT) that could allow for remote code execution. But this vulnerability seems not a zero-day. The similar vulnerability has been found in 2017.
Perhaps attached diagram can provides hints to you.

Non official remedy:
Option 1: Find and delete ws9_ async_response.war, wIs-wsat.war and restart the Weblogic service.

Option 2: Control access to URLs for /_async/* and /wls-wsat/* (note) paths through access policy control.

Official announcement: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html