Oracle: Unpatched Versions of WebLogic App Server Under Active Attack

oracle flaw patch

CVE-2020-2883 was patched in Oracle’s April 2020 Critical Patch Update – but proof of concept exploit code was published shortly after.

Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month.

Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.

Eric Maurice, director of security assurance, said in a post last week that the flaw was addressed in Oracle’s April 2020 Critical Patch Update, which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” according to Oracle’s security update. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”

Shortly before Oracle’s warning of the active exploits, proof of concept exploit code was also published by a researcher (under the alias “hktalent”) on GitHub for the flaw last week.

According to Trend Micro’s Zero Day Initiative, the flaw ranks 9.8 out of 10 on the CVSSv3 scale, making it critical severity. Two variants of the flaw were reported. The first variant of the flaw exists within the handling of the T3 protocol, which is used to transport information between WebLogic servers and other types of Java programs. According to ZDI, crafted data in a T3 protocol message can trigger the deserialization of untrusted data – allowing an attacker to execute code in the context of the current process.

The second variant of the flaw exists within the Oracle Coherence library, Oracle’s in-memory data grid and distributed caching solution.

“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,” according to ZDI. “An attacker can leverage this vulnerability to execute code in the context of the service account.”

Affected versions of WebLogic Server include versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.

Oracle did not disclose further details about how many were targeted or the attackers behind the hacks.

Oracle WebLogic servers continue to be hard hit with exploits. In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the “Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles