Exploiting CVE-2019-2729 WebLogic Deserialization Vulnerability

By |Published On: April 17th, 2020|Tags: |

CVE-2019-2729 is a Java deserialization vulnerability in Oracle WebLogic versions,, and Serialized Java objects are accepted anonymously via an HTTP service and deserialized. Remote code execution is possible without authentication.

This exploit was tested against WebLogic

A typical vulnerable server will have HTTP services listening on one or more TCP ports which have a web application at /wls-wsat/.

Generate a payload with ysoserial

First, get ysoserial and use it to generate a simple RCE payload.

Copy to Clipboard

Here, we generate a payload using ysoserial, which will do a DNS lookup that we’ll be able to monitor. The payload file contains a serialized Java LinkedHashSet object which will run this command.

Note that the ysoserial payload generator used here, named Jdk7u21, only works under JRE version 7u21 and earlier, however that seems to be standard with WebLogic You might have to use a different payload for newer versions of WebLogic. The advantage to Jdk7u21 is the lack of any dependencies in the server’s classpath.

Transform the payload into SOAP

Now, we need to massage this blob into a SOAP HTTP request body. The affected web services accept SOAP requests containing Java objects encoded in Java’s XMLEncoder format. An example request showing the format:

Copy to Clipboard

The payload generated above needs to be stuffed into a byte[] array by the server. The following python script will generate the required request body and write it to a file named payload_encoded.

Copy to Clipboard

Transmit the Payload

Next, send the generated request body to the affected service via a POST request to /wls-wsat/CoordinatorPortType. The entire resulting HTTP request should look just like the example above but much longer.

The server will return a 500 response, however you should see your DNS lookup and now have remote command execution.


Hopefully this blog post helps you understand CVE-2019-2729 and how it’s being exploited. Being aware of this and similar vulnerabilities will help you better defend your environment against them.

Share with your network!
Get monthly updates from Hurricane Labs
* indicates required

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.