Threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the a critical flaw tracked as CVE-2020-14882.
The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.
The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).
The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.
The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab.
Security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.
According to Johannes Ullrich, Dean of Research at SANS, the attacks that targeted the honeypots were originated from the following IP addresses:
According to the SANS expert, the exploit employed in the attacks appears to be based on the code published in this blog post by the researcher Jang.
“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.” reads the post published by SANS.
SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks.
The exploit used by the attackers only probe the systems to determine if they are vulnerable.
Searching on Spyse engine for Oracle WebLogic servers exposed online end potentially vulnerable to CVE-2020-14882 we can retrieve more than 3,000 installs.
Administrators of Oracle WebLogic installs have to apply the patch for the CVE-2020-14882 vulnerability as soon as possible.
(SecurityAffairs – hacking, Oracle WebLogic)