Security

If you haven't patched WebLogic server console flaws in the last eight days 'assume it has been compromised'

Stark warning from SANS' Johannes Ullrich - RCE's gonna GET 'ya


Last week Oracle released one of its mammoth quarterly patch dumps - with 402 fixes. Well, it turns out that if you missed one and you're running WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, you've probably already been tagged by hackers.

On Thursday Johannes Ullrich, Dean of Research at the SANS Technology Institute, spotted a massive spike in traffic on research "honeypot" systems as somebody tried to identify public-facing WebLogic servers that weren't patched against CVE-2020-14882. The flaw, with a CVSS score of 9.8, is an "easily exploitable vulnerability" in the application's console that can be targeted over HTTP without user interaction to execute code remotely.

How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes

READ MORE

"At this point, we are seeing the scans slow down a bit," he explained. But they have reached "saturation," meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised."

Ullrich said that the exploit code for the Java EE application server code being used appears to be based on information published on Wednesday by someone identified as Nguyen Jang. The post, in Vietnamese, described how to get full access to an unpatched WebLogic server with a single GET request and had a video you can see below:

All of the exploit attempts originates from four IP addresses, Ullrich said.

"These exploit attempts are right now just verifying if the system is vulnerable," he said. "Our honeypots (up to now) do not return the "correct" response, and we have not seen follow-up requests yet."

It's possible that this was a simple scan to estimate the total number of vulnerable machines; investigations are ongoing. In the meantime, patch and check all vulnerable machines and get to work on the other 401 fixes - who knows which one is next? ®

Send us news
12 Comments
Get our Security newsletter

Keep Reading

Trump backs Oracle as potential TikTok buyer

Larry Ellison hailed as 'terrific guy' but Big Red stays shtum on its intentions

Sopra Steria gets £££££££s to manage cops' Oracle e-Biz suite in Oracle's cloud in Cleveland, UK

The bad guys looking after the good guys... or is that the other way round? Life's so complicated

Oracle starts to lose patience with Solaris holdouts

Users who won’t upgrade to 11.4 given three-year warning of unpleasantness to come

Oracle aims high-end cloudy database release at existing customers in 'defensive' move

Large existing install base that's pondering move to cloud will be reluctant to ditch 'existing investments' opines analyst

UK's Manchester University seeks integrator to lead fiddly Oracle Financials upgrade

There could be up to £4m in it for the winner

There's no love lost as AWS lures Oracle exec over to lead its Americas sales team

That's going to smooth relations between Larry and Jeff

Wow, you guys have so much in common: Oracle hotly tipped to power TikTok’s operations as Microsoft deal rejected

Updated A strange pairing indeed

How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes

How many times do you want to read the CVSS rating 9.8 today?

Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password'

D'oh! If only they'd seen bug before issuing those 402 other fixes

Trump administration reportedly offers Oracle cheap end to $400m wage discrimination case

Lawyer driving case said to have been re-assigned and filed complaint against boss over alleged sub-$40m settlement

Tech Resources

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

The Ransomware Hunt that Unearthed a Historic Banking Trojan

The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.