Attackers seek Oracle WebLogic vulnerability after faulty patch
The combination of a broken Oracle WebLogic vulnerability and available proof-of-concept exploit code has led threat actors to search for any servers that are at risk.
Following a broken patch, researchers noticed a rise in devices scanning servers potentially at risk to an Oracle WebLogic vulnerability.
One of the more than 250 issues addressed in the most recent quarterly Oracle Critical Patch Update on April 18 was an Oracle WebLogic vulnerability (CVE-2018-2628). Multiple users on GitHub released proof-of-concept (POC) exploit code against this flaw as early as April 19; soon after, devices were scanning for at-risk servers.
In a tweet, GreyNoise Intelligence noted the increase in devices searching for an at-risk server: "GreyNoise has observed a large spike in devices scanning the Internet for TCP port 7001 beginning last week on 4/16/18. This activity corresponds directly with the disclosure (4/18/2018) and weaponization (4/18/18) of Oracle WebLogic CVE-2018-2628."
Liao Xinxi -- who originally reported the issue to Oracle -- described how the Oracle WebLogic vulnerability worked in a blog post, and security researchers found the patch was broken and could be easily bypassed. David Tampellini, a security researcher and bug hunter based in Italy, combined the work done by Liao with code from GitHub user MrTcsy to weaponize the POC.
Kevin Beaumont, a security architect based in the U.K., said on Twitter that the problem was the original patch did nothing to fix the Oracle WebLogic vulnerability. Instead, Oracle attempted to mitigate the issue by blacklisting commands used in a potential exploit, but Beaumont said the vendor missed a command.
Beaumont said the risks could be minimized by blocking inbound traffic on port 7001 to vulnerable servers. And Beaumont noted the issues extended beyond that, as well.
Oracle have serious security coding and product issues with WebLogic. They’ve had the highest number of vulns recently for unauthenticated remote code execution in a webserver I’ve seen, plus hardcoded backdoor passwords. It’s like 90s era product security.
— Kevin Beaumont (@GossiTheDog) April 20, 2018
This is not the only Oracle WebLogic vulnerability putting users at risk recently. In February, businesses were warned to patch a different WebLogic flaw that was being exploited by cryptojackers.