This article is more than 1 year old
If you haven't patched WebLogic server console flaws in the last eight days 'assume it has been compromised'
Stark warning from SANS' Johannes Ullrich - RCE's gonna GET 'ya
Last week Oracle released one of its mammoth quarterly patch dumps - with 402 fixes. Well, it turns out that if you missed one and you're running WebLogic 10.3.6.0.0, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0 and 188.8.131.52.0, you've probably already been tagged by hackers.
On Thursday Johannes Ullrich, Dean of Research at the SANS Technology Institute, spotted a massive spike in traffic on research "honeypot" systems as somebody tried to identify public-facing WebLogic servers that weren't patched against CVE-2020-14882. The flaw, with a CVSS score of 9.8, is an "easily exploitable vulnerability" in the application's console that can be targeted over HTTP without user interaction to execute code remotely.
How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixesREAD MORE
"At this point, we are seeing the scans slow down a bit," he explained. But they have reached "saturation," meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised."
Ullrich said that the exploit code for the Java EE application server code being used appears to be based on information published on Wednesday by someone identified as Nguyen Jang. The post, in Vietnamese, described how to get full access to an unpatched WebLogic server with a single GET request and had a video you can see below:
All of the exploit attempts originates from four IP addresses, Ullrich said.
- 184.108.40.206: China Unicom.
- 220.127.116.11: Linode (U.S.A.)
- 18.104.22.168: MivoCloud (Moldova).
- 22.214.171.124: DataCamp Ltd (Hong Kong).
"These exploit attempts are right now just verifying if the system is vulnerable," he said. "Our honeypots (up to now) do not return the "correct" response, and we have not seen follow-up requests yet."
It's possible that this was a simple scan to estimate the total number of vulnerable machines; investigations are ongoing. In the meantime, patch and check all vulnerable machines and get to work on the other 401 fixes - who knows which one is next? ®