Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

If you haven't patched WebLogic server console flaws in the last eight days 'assume it has been compromised'

Stark warning from SANS' Johannes Ullrich - RCE's gonna GET 'ya

Iain Thomson in San Francisco Thu 29 Oct 2020  //  22:35 UTC

Last week Oracle released one of its mammoth quarterly patch dumps - with 402 fixes. Well, it turns out that if you missed one and you're running WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, you've probably already been tagged by hackers.

On Thursday Johannes Ullrich, Dean of Research at the SANS Technology Institute, spotted a massive spike in traffic on research "honeypot" systems as somebody tried to identify public-facing WebLogic servers that weren't patched against CVE-2020-14882. The flaw, with a CVSS score of 9.8, is an "easily exploitable vulnerability" in the application's console that can be targeted over HTTP without user interaction to execute code remotely.

How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes

READ MORE

"At this point, we are seeing the scans slow down a bit," he explained. But they have reached "saturation," meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised."

Ullrich said that the exploit code for the Java EE application server code being used appears to be based on information published on Wednesday by someone identified as Nguyen Jang. The post, in Vietnamese, described how to get full access to an unpatched WebLogic server with a single GET request and had a video you can see below:

All of the exploit attempts originates from four IP addresses, Ullrich said.

"These exploit attempts are right now just verifying if the system is vulnerable," he said. "Our honeypots (up to now) do not return the "correct" response, and we have not seen follow-up requests yet."

It's possible that this was a simple scan to estimate the total number of vulnerable machines; investigations are ongoing. In the meantime, patch and check all vulnerable machines and get to work on the other 401 fixes - who knows which one is next? ®
Send us news
12 Comments

Palantir and Oracle buddy up on cloud infrastructure

But do all Foundry workloads move to OCI? It's up to the customer, spy-tech firm says

Mega city council's Oracle ERP system still not legally safe, compliant... 2 years after rollout

Fusion software misses another deadline, one external auditors for Birmingham City Council described as 'absolutely crucial'

Catch Java 22, available from Oracle for a limited time

Latest release of coffee-themed programming language aspires to simplicity with a dozen new features

Oracle adds GenAI to Fusion with a whopping 50 use cases

But is there one that can sort out failing ERP projects? Well Larry, is there?

Oracle AI buzz means Larry Ellison's worth $15B more today

And here you were saying tech hadn't yet made a difference to someone special

Oracle investors hear the magic word 'Nvidia' and boom! Buy, buy, buy

Forget the piffle about real world results, let's look at the potential of wundertech

How to Netflix Oracle’s blockbuster audit model

Terms and conditions apply. Lawyers need not

'We had to educate Oracle about our contract,' CIO says after Big Red audit

Estimates put audits at $3B revenue for Ellison's company, so go at your own pace, experts recommend

Google advances with vector search in MySQL, leapfrogging Oracle in LLM support

Meanwhile, only 22% of orgs are looking at GenAI strategy for databases

City council megaproject to spend millions for manual work Oracle system was meant to do

Train-wreck public sector project was forecast to save 'bankrupt' council money

Oracle Cerner system implementation risks future patient deaths, coroner warns

Doctors voiced concern over lack of Red-Amber-Green rating system, says report

Oracle faces continued legal battle over alleged NetSuite software misrepresentations

Judge allows fraud case to continue after customer resubmits complaint