What’s up?
As if October 2020 hasn’t been scary enough, Rapid7 Labs, the SANS Internet Storm Center (ISC), and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to CVE-2020-14882 (AttackerKB Analysis), which is an unauthenticated remote code execution (complete compromise) weakness in the Console component of Oracle WebLogic servers.
Before we sift through the candy loot bag of vulnerability and exploit details, we must pause and urge Oracle WebLogic Server customers to patch as soon as possible.
Vulnerability and exposure details
On Oct. 20, 2020, Oracle issued an advisory for CVE-2020-14882 in its quarterly critical patch update. The vulnerability is trivial to exploit, with a proof-of-concept (PoC) already available, courtesy of a researcher who goes by the handle Jang. The aforelinked Medium post is worth taking the time to translate and walk through, as it provides seriously detailed information on the path Jang took to eventually craft an exploit in a single HTTP GET request.
Affected WebLogic versions include:
10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0
Rapid7 Labs found just over 2,000 WebLogic Console endpoints on HTTP port 7001 today (Oct. 29, 2020) with a wide version distribution:
version
n
10.3.6.0
457
12.2.1.3.0
435
12.2.1.4.0
403
10.3.0.0
350
12.1.3.0.0
111
10.3.5.0
83
12.2.1.2.0
75
12.2.1.0.0
68
14.1.1.0.0
28
12.2.1.1.0
16
10.3.6.0.0
12
12.1.1.0
10
10.3.2.0
8
12.1.2.0.0
7
10.3.3.0
5
10.3.1.0
4
10.3.4.0
1
From this scan, it appears that 111 (12.1.3.0.0) are definitely vulnerable, with an additional 457 (10.3.6.0) potentially also vulnerable (while Oracle does include the version string in the HTML source it is not a precise version string, so some of thes ..
Support the originator by clicking the read the rest link below.
: What You Need to Know){kind=link}