A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned.
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.
About the vulnerability (CVE-2020-14882)
CVE-2020-14882 may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The vulnerability affects the console component of Oracle WebLogic Server versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0, and has been patched by Oracle last week.
Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses.
For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.
“The exploit appears to be based on this blog post published in Vietnamese by ‘Jang’,” he added. (The researcher in question has previously flagged several flaws in Oracle’s offerings, though not this one.)
The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending a HTTP GET request.
A demonstration of the exploit in action is available here.
The PoC exploit was published yesterday, and it didn’t take long for attackers to take advantage of it. Admins are advised to patch vulnerable systems as soon as possible.
UPDATE (October 30, 2020, 3:00 a.m. PT):
“Rapid7 Labs has also seen evidence of opportunistic attackers seeking out vulnerable WebLogic instances,” Rapid7’s Chief Security Data Scientist Bob Rudis shared.
“Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds.”
He urged admins to patch as quickly as possible, and recommended mitigations if immediate patching is impossible (“with the understanding that no mitigation is as effective as patching”).
These mitigations include temporarily:
- Removing the admin portal from the public internet
- reviewing application logs for HTTP requests that include the double-encoded path traversal %252E%252E%252F and the admin portal console.portal in the request URI
- Monitoring network traffic for suspicious HTTP requests (if possible)
- Monitoring for any suspicious processes created by the application
But, as Ullrich noted, due to how easy exploitation of the flaw is, if you find a vulnerable server in your network, assume it has been compromised and proceed to remedy the situation.
UPDATE (November 1, 2020, 3:00 a.m. PT):
Oracle has flagged today a new remote code execution vulnerability in Oracle WebLogic Server (CVE-2020-14750) that is related to the one patched two weeks ago (CVE-2020-14882).
“It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company noted.
As CVE-2020-14882 before it, CVE-2020-14750 affects Oracle WebLogic Server, versions 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0. Oracle advises customers to apply the updates provided through the security alert after they have applied the October 2020 Critical Patch Update.
Oracle has thanked twenty different researchers for reporting the vulnerability, which arose due to the flawed patch for CVE-2020-14882.
In Oracle's rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020