Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild

Threat actors have started exploiting a critical vulnerability in Oracle WebLogin, tracked as CVE-2020-14882, in attacks in the wild.

Threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the a critical flaw tracked as CVE-2020-14882.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).

The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab.

Security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.

According to Johannes Ullrich, Dean of Research at SANS, the attacks that targeted the honeypots were originated from the following IP addresses:

114.243.211.182 – assigned to China Unicom
139.162.33.228 – assigned to Linode (U.S.A.)
185.225.19.240 – assigned to MivoCloud (Moldova)
84.17.37.239 – assigned to DataCamp Ltd (Hong Kong)

According to the SANS expert, the exploit employed in the attacks appears to be based on the code published in this blog post by the researcher Jang.

“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.” reads the post published by SANS.

SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks.

The exploit used by the attackers only probe the systems to determine if they are vulnerable.

Searching on Spyse engine for Oracle WebLogic servers exposed online end potentially vulnerable to CVE-2020-14882 we can retrieve more than 3,000 installs.

Administrators of Oracle WebLogic installs have to apply the patch for the CVE-2020-14882 vulnerability as soon as possible.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle WebLogic)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.