Multiple Oracle WebLogic Server Vulnerabilities Remotely Exploitable without Authentication

Overview: Oracle WebLogic Server Vulnerabilities

This report outlines vulnerabilities in Oracle WebLogic Server disclosed in the Critical Patch Update Advisory released on October 20, 2020. WebLogic Server is a platform for building Java applications either for internal or cloud deployment. Many of the vulnerabilities listed were given a CVSS score of 9.8 out of 10, indicating a high severity. CVE’s (Common Vulnerabilities and Exposures) associated with WebLogic Server in the advisory include CVE-2019-17267, CVE-2020-14882, CVE-2020-14841, CVE-2020-14825, CVE-2020-14859, CVE-2020-14820, CVE-2020-14883, CVE-2020-14757, CVE-2020-11022, and CVE-2020-9488.

Tactics, Techniques, and Procedures

Many of the Oracle WebLogic Server vulnerabilities are remotely exploitable without authentication, making them ideal targets for malicious actors that have access to automatic scanning tools and exploits. Attacks have been detected for CVE-2020-14882 via exploit attempts of many security researcher honeypots. This particular vulnerability is for the admin console component of the WebLogic server and would require the console to be accessible to the attacker.

SANS Internet Storm Center has monitored scanning activity for this vulnerability and determined that exposed WebLogic Server vulnerable to these attacks have most likely been compromised. A proof-of-concept exploit has been publicly posted and shared on Twitter for this particular vulnerability, which appears to be the catalyst for the scanning activity.

Affected WebLogic Versions:

• 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Business Unit Impact

• May allow a malicious actor to run unauthorized code or processes from the compromised server
• Malicious actors may be able to laterally move from the WebLogic Server to other devices, compromising the network

Recommendations

• Expeditious application of the patches disclosed in the Critical Patch Update Advisory is highly recommended
• Allow only needed internal users and devices access to the WebLogic Server; block unauthorized access at your firewall
  • WebLogic Server uses the default ports 5556, 7001, 7002, and 8001
• If running a vulnerable version of WebLogic Server in your environment, an in-depth investigation may be needed to confirm the device is not already compromised

Patches:

https://www.oracle.com/security-alerts/cpuoct2020.html

Indicators of Compromise (IOC):

• 139.162.33.228
• 185.225.19.240
• 84.17.37.239
• 114.243.211.182
• 27.115.124.0/24
• 111.206.250.0/24

Sources

• https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
• https://exchange.xforce.ibmcloud.com/collection/Scans-for-Vulnerable-Oracle-WebLogic-Servers-40e60d8974388d71155215fb97fe097c

Supporting Documentation:

MITRE Mapping(s)

• Reconnaissance: https://attack.mitre.org/tactics/TA0043/
  • Active Scanning: https://attack.mitre.org/techniques/T1595/
    • Vulnerability Scanning: https://attack.mitre.org/techniques/T1595/002/

• Initial Access: https://attack.mitre.org/tactics/TA0001/
  • Exploit Public-Facing Application:https://attack.mitre.org/techniques/T1190/

Supporting Links:

• https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.