Hackers target Oracle WebLogic Servers following botched patch

Oracle failed to fix the core security flaw on WebLogic Server with its latest patches, claim security specialists

Hackers are targeting Oracle WebLogic servers following a botched patch for the Java application server two weeks ago.

On April 17th, the company released its quarterly Critical Patch Update (CPU) security advisory, which consisted of fixes for more 254 vulnerabilities for various different items of Oracle software.

One of the patches was for CVE-2018-2628, which is a flaw that affects WebLogic's server component. It was assigned a severity score of 9.8 out of ten.

The patch was deemed so severe because it could let attackers distribute code on WebLogic servers remotely, bypassing authentication processes.

"Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components)," reads a description from the National Institute of Standards and Technology.

"Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server."

Liao Xinxi, a security specialist at the NSFOCUS Global Security Team in China, discovered the flaw and reported it to Oracle.

Shortly after Oracle rolled out an update for the fix, Liao published a blog post providing further insight into the workings of the exploit.

https://twitter.com/pyn3rd/status/990114565219344384?ref\\_src=twsrc%5Etfw

According to the researcher, a Github user under the name "Brianwrf" published proof-of-concept concept code of the vulnerability onto the website, giving hackers the means to exploit the flaw.

Despite the fact that Oracle had supposedly fixed the flaw, a security researcher claims that attackers can still workaround it.

Writing on Twitter over the weekend, a user under by the name of "@pyn3rd", who claims to be a security researcher at Alibaba Cloud, claimed that the "critical patch update of 2018.4 can be bypassed easily".

The researcher did not give a detailed explanation as to why the patch has been ineffective, but warned that patched WebLogic servers could still be targeted by hackers.

However, security expert Kevin Beaumont added further insight by claiming that Oracle simply failed to patch the core of the problem.

https://twitter.com/GossiTheDog/status/990621460476649472?ref\\_src=twsrc%5Etfw

"It looks like Oracle isn't even fixing the issues here, they're just blacklisting commands. In this case they missed the very next command," he wrote on Twitter.

There is no sign of a patch from Oracle, although Beaumont said users should block all connections on port 7001.