This article is more than 1 year old
Umm, Oracle – about that patch? It might not be very sticky ...
Security researcher says WebLogic fix can be bypassed, posts proof-of-concept
Earlier this month, Oracle patched a critical vulnerability in its WebLogic server – but someone identifying himself as an Alibaba security researcher reckons Big Red botched the patch.
The bug in question was fixed in Oracle's 254-strong quarterly patch-fest that was headlined by Java and Spectre fixes.
Tucked way down on the list was CVE-2018-2628, an “easily exploitable” programming blundering allowing a complete remote takeover of WebLogic servers.
Over the weekend, @pyn3rd (whose Twitter bio says simply “Security researcher at @alibaba_cloud), tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC) GIF.
#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj
— pyn3rd (@pyn3rd) April 28, 2018
How could this be? From @pyn3rd again:
there is the difference, just use <java.rmi.activation.Activator> replace <java.rmi.registry.Registry> pic.twitter.com/xeH0Ck86G3
— pyn3rd (@pyn3rd) April 29, 2018
Brit IT security pro Kevin Beaumont elucidated further: “It looks like Oracle isn’t even fixing the issues here, they’re just blacklisting commands. In this case they missed the very next command."
The Register has asked Oracle whether it plans to address the issue. The company declined to comment. ®