Following a botched patch Oracle published earlier this month on Java Deserialization vulnerability in its WebLogic server, aggressive scanning attempts were observed across the internet for enumerating machines running Oracle WebLogic servers.
There was a large spike in devices scanning the Internet for TCP port 7001 beginning last week. This activity corresponds directly with the disclosure and weaponization of Oracle WebLogic CVE-2018-2628
The bug in question, CVE-2018-2628, a critical vulnerability in the WLS core component of WebLogic, a Java EE application server, was known to be fixed in April 2018 CPU (Critical Patch Update).
Over the weekend, @pyn3rd (Twitter bio claims to be “Security researcher at Alibaba Cloud), tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC).
— pyn3rd (@pyn3rd) April 28, 2018
How could this be? From @pyn3rd again:
there is the difference, just use <java.rmi.activation.Activator> replace <java.rmi.registry.Registry> pic.twitter.com/xeH0Ck86G3
— pyn3rd (@pyn3rd) April 29, 2018
According to InfoSec Pro Kevin Beaumont, this is because Oracle didn’t fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. In this case, they have missed one or more commands.
Till date, the attempts were only for enumerating the volume of WebLogic servers across the web, but an active exploit could allow a remote attacker to completely take over the affected WebLogic Server.
- WebLogic Server 10.3.6.0.0
- WebLogic Server 184.108.40.206.0
- WebLogic Server 220.127.116.11.0
- WebLogic Server 18.104.22.168.0
Oracle have-not commented on as in when there will be an updated patch to address this issue. However, users are advised to download and install the patch update to the latest as soon as possible. Also, monitor the incoming traffic on TCP port 7001 for the likelihoods.