If an organization hasn’t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: “Assume it has been compromised.”
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The console component of the WebLogic Server has a flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale. According to Oracle, the attack is “low” in complexity, requires no privileges and no user interaction and can be exploited by attackers with network access via HTTP.
The flaw was fixed by Oracle in the massive October release of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0.
The October update was released Oct. 21. Fast forward to this week, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said on Thursday that based on honeypot observations, cybercriminals are now actively targeting the flaw.
“At this point, we are seeing the scans slow down a bit,” said Ullrich in a Thursday post. “But they have reached ‘saturation’ meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”
Ullrich said, the exploits appear to be based on a Wednesday blog post published (in Vietnamese) by “Jang,” who described how to leverage the flaw to achieve remote code execution via only one GET request. Below is a proof of concept (POC) video.
Ullrich said, exploit attempts on the honeypots so far originate from four IP addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52.
Ullrich and others are urging Oracle WebLogic Server users to update their systems as soon as possible. Users can find a patch availability document for WebLogic and other vulnerable Oracle products, available here.
One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. https://t.co/y6huXWUuS0
— Kevin Beaumont (@GossiTheDog) October 28, 2020
Oracle WebLogic servers continue to be hard hit with exploits. In May 2020, Oracle urged customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the “Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinaron healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.