Following a broken patch, researchers noticed a rise in devices scanning servers potentially at risk to an Oracle WebLogic vulnerability.One of the mo
Following a broken patch, researchers noticed a rise in devices scanning servers potentially at risk to an Oracle WebLogic vulnerability.
One of the more than 250 issues addressed in the most recent quarterly Oracle Critical Patch Update on April 18 was an Oracle WebLogic vulnerability (CVE-2018-2628). Multiple users on GitHub released proof of concept (POC) exploit code against this flaw as early as April 19, and soon after, devices were scanning for at-risk servers.
GreyNoise has observed a large spike in devices scanning the Internet for TCP port 7001 beginning last week on 4/16/18. This activity corresponds directly with the disclosure (4/18/2018) and weaponization (4/18/18) of Oracle WebLogic CVE-2018-2628. Ref: https://t.co/3qdeQSF59T
— GreyNoise Intelligence (@GreyNoiseIO)
April 24, 2018
Liao Xinxi — who originally reported the issue to Oracle — described how the Oracle WebLogic vulnerability worked in a blog post and security researchers found the patch was broken and could be easily bypassed. David Tampellini, security researcher and bug hunter based in Italy, combined the work done by Liao with code from GitHub user MrTcsy to weaponize the POC.
Kevin Beaumont, a security architect based in the U.K., said on Twitter that the problem was that the original patch did nothing to fix the Oracle WebLogic vulnerability. Instead, Oracle attempted to mitigate the issue by blacklisting commands used in a potential exploit, but Beaumont said Oracle missed a command.
Beaumont said the risks could be minimized by blocking inbound traffic on port 7001 to vulnerable servers.
This is not the only Oracle WebLogic vulnerability putting users at risk recently. In February, businesses were warned to patch a different WebLogic flaw that was being exploited by cryptojackers. And, Beaumont noted the issues extended beyond that as well.
Oracle have serious security coding and product issues with WebLogic. They’ve had the highest number of vulns recently for unauthenticated remote code execution in a webserver I’ve seen, plus hardcoded backdoor passwords. It’s like 90s era product security.
— Kevin Beaumont (@GossiTheDog)
April 20, 2018