Oracle botches CVE-2018-2628 patch and hackers promptly start scanning for vulnerable WebLogic installs

According to a security expert, Oracle appears to have botched the CVE-2018-2628 fix, this means that attackers could bypass it to take over WebLogic servers.

Earlier April, Oracle patched the critical CVE-2018-2628 vulnerability in Oracle WebLogic server, but an Alibaba security researcher @pyn3rd discovered that the proposed fix could be bypassed.

The CVE-2018-2628 flaw was addressed in Oracle’s Critical Patch Update (CPU) security advisory, a remote attacker can easily exploit the vulnerability to completely take over an Oracle WebLogic server.

“Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.” reads the description provided by Mitre. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).”

@pyn3rd added that it is quite easy to bypass the patch:

The popular cyber security expert Kevin Beaumont explained that the mitigation implemented by Oracle seems to only blacklist commands.

Such kind of errors could have serious consequences on the end users, since April 17, (just after Oracle published the quarterly Critical Patch Update (CPU) advisory). experts are observing threat actors started scanning the Internet, searching for Oracle WebLogic servers.

After Oracle published the Critical Patch Updates, the researchers Xinxi published the technical details of the CVE-2018-2628 vulnerability and later a user with moniker ‘Brianwrf’ shared proof-of-concept (PoC) code on GitHub.

The availability of the PoC code caused a spike in scans for port 7001 that runs the vulnerable WebLogic T3 service.

In the following graph from SANS Institute shows the spike in Internet scans for port 7001:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-2628 Oracle WebLogic, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Next SamSam operators switch tactic and are more focused on targeted organizations »

Previous « Op GhostSecret - ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack

Published by

Pierluigi Paganini

Tags: CVE-2018-2628HackingOraclePierluigi PaganiniSecurity AffairsWebLogic

6 years ago

Law enforcement operation dismantled phishing-as-a-service platform LabHost

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…

3 hours ago

Hacking

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…

8 hours ago

Hacking

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…

10 hours ago

Cyber Crime

Linux variant of Cerber ransomware targets Atlassian servers

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…

24 hours ago

Security

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

1 day ago

Hacking

Researchers released exploit code for actively exploited Palo Alto PAN-OS bug

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…

2 days ago

This website uses cookies.