Hackers are targeting recently patched WebLogic security vulnerability

Pierluigi Paganini May 01, 2020

Oracle warns of attacks against recently patched WebLogic security bug

Oracle warns of attacks in the wild exploiting a recently patched vulnerability in WebLogic servers for which a PoC code is available on GitHub.

IT giant Oracle published a security alert to warn organizations running WebLogic servers of ongoing attacks that exploit the CVE-2020-2883 vulnerability.

The company is urging its customers to install the latest security updates released on April 14.

“This Critical Patch Update contains 9 new security patches for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.” reads the advisory published by Oracle.

Oracle WebLogic Server is a Java EE application server with tens of thousands of servers running online.

The CVE-2020-2883 flaw was reported to Oracle through the Zero Day Initiative, it is a remote code execution issue that could be exploited by attackers by sending a malicious payload to a WebLogic server, via its proprietary T3 protocol. The bug could be exploited by an unauthenticated attacker and doesn’t require victims’ interaction.

The CVE-2020-2883 vulnerability has received a CVSSv3 score of 9.8 out of 10.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI.

“The specific flaw exists within the handling of the T3 protocol. Crafted data in a T3 protocol message can trigger the deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.”

Oracle was informed of the attempts to exploit CVE-2020-2883, the issue is caused by the way servers deserializes data allowing arbitrary code execution on the underlying WebLogic system.

The attacks began shortly after proof-of-concept exploit code was published on GitHub.

In June 2019, Oracle released emergency patches for a critical remote code execution vulnerability affecting the WebLogic Server.

The vulnerability, tracked as CVE-2019-2729, affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. The vulnerability is a remotely exploitable deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services, it received a CVSS score of 9.8.

A remote attacker could exploit the CVE-2019-2729 flaw without authentication. 

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Oracle WebLogic, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment