Oracle WebLogic Fix can be Bypassed… Hackers to Enumerate upon the Botched Patch

Oracle WebLogic 5/5 (2)

Following a botched patch Oracle published earlier this month on Java Deserialization vulnerability in its WebLogic server, aggressive scanning attempts were observed across the internet for enumerating machines running Oracle WebLogic servers.

There was a large spike in devices scanning the Internet for TCP port 7001 beginning last week. This activity corresponds directly with the disclosure and weaponization of Oracle WebLogic CVE-2018-2628

The bug in question, CVE-2018-2628, a critical vulnerability in the WLS core component of WebLogic, a Java EE application server, was known to be fixed in April 2018 CPU (Critical Patch Update).

Over the weekend, @pyn3rd (Twitter bio claims to be “Security researcher at Alibaba Cloud), tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC).

#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately, the Critical Patch Update of 2018.4 can be bypassed easily.

— pyn3rd (@pyn3rd) April 28, 2018

How could this be? From @pyn3rd again:

there is the difference, just use <java.rmi.activation.Activator> replace <java.rmi.registry.Registry>

— pyn3rd (@pyn3rd) April 29, 2018

According to InfoSec Pro Kevin Beaumont, this is because Oracle didn’t fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. In this case, they have missed one or more commands.

Till date, the attempts were only for enumerating the volume of WebLogic servers across the web, but an active exploit could allow a remote attacker to completely take over the affected WebLogic Server.

Affected Versions

  • WebLogic Server
  • WebLogic Server
  • WebLogic Server
  • WebLogic Server

Official Fix:

Oracle have-not commented on as in when there will be an updated patch to address this issue. However, users are advised to download and install the patch update to the latest as soon as possible. Also, monitor the incoming traffic on TCP port 7001 for the likelihoods.

Read more on:  Warning! Multiple Severe Vulnerabilities Discovered in PHP


Please rate this content