SANS Internet Storm Centre (ISC) has warned of a remote code execution vulnerability in Oracle console component of the WebLogic Server has been actively exploited in the wild. The flaw is critical and easily exploitable in nature.

Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.

The vulnerability tracked as CVE-2020-14882, may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers. The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending a GET request. The flaw ranks 9.8 out of 10 on the CVSS scale.

According to Oracle, the attack is “low” in complexity, requires no privileges, and no user interaction and can be exploited by attackers with network access via HTTP.

The flaw was preset by Oracle in the enormous Oct launch of its quarterly Critical Patch Update (CPU), which preset 402 vulnerabilities throughout numerous item families. The vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

If an organization hasn’t updated its Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: “Assume it has been compromised.”

The researcher observed the attacks against one of his honeypots within a day of a proof of concept (POC) becoming publicly available. SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses, 114.243.211.182 (assigned to China Unicom), 139.162.33.228 (assigned to Linode (U.S.A.)), 185.225.19.240 (assigned to MivoCloud (Moldova)), and 84.17.37.239 (assigned to DataCamp Ltd (Hong Kong)). For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.

SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks. The exploit used by the attackers only probes the systems to determine if they are vulnerable.

A PoC for this vulnerability was published to GitHub by a security researcher that goes by the handle Jas502n. Jas502n has a history of producing PoCs for vulnerabilities soon after their disclosure, including CVE-2019-12409 and CVE-2019-17558, a pair of vulnerabilities in Apache Solr.

Recommendations:

• Admins are advised to patch vulnerable systems as soon as possible.
• Removing the admin portal from the public internet.
• Oracle WebLogic Server users are highly recommended to update their systems.
• If customers remain on actively-supported versions, Oracle strongly recommends applying Critical Patch Update security patches without delay.
• Reviewing application logs for HTTP requests that include the double-encoded path traversal %252E%252E%252F and the admin portal console.portal in the request URI.
• Monitoring network traffic for suspicious HTTP requests (if possible).
• Monitoring for any suspicious processes created by the application.
• Users can also reduce the risk of successful attack by blocking network protocols required by an attack.