Hackers target Oracle WebLogic Servers after the release of PoC code

CVE-2018-2893

Hackers recently launched attacks on Oracle WebLogic servers and tried to control vulnerable devices that have not patched after the vulnerability published.

The vulnerability exploited by the hacker is CVE-2018-2893, a deserialization remote command execution vulnerability in Oracle WebLogic middleware that allows hackers to control the entire server without the need for a password. After these hackers attempted an attack, the vulnerability was assessed to be near the highest level – the vulnerability scored a critical 9.8 /10 score on the CVSv3 security level.

CVE-2018-2893

The reason why the score is so high because the vulnerability can be used remotely and it is relatively easy to use. The details of the vulnerability have never been released to the public, and Oracle has released a patch for this vulnerability on July 18.

However, just three days later, several proof-of-concept videos described the vulnerability in detail. Although most of the videos have been deleted, at the time of this article, PoC code is still available on GitHub, which may be a significant factor in the use of this vulnerability by hackers. According to reports, the first attack attempt began on July 21, when the news of the existence of the PoC code has spread, and since then, the attack has become more and more.

Security researchers from ISC SANS and Qihoo 360 Netlab are currently tracking two gangs that appear to have automated exploits and are attacking a large scale.

The owner of the Oracle server is advised to install the patch as soon as possible. Oracle WebLogic servers running 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3 are currently vulnerable, so patching is necessary.

Also, the vulnerability is currently being exploited through port 7001, so Oracle WebLogic server owners who do not now have patches installed should disable the port on their routers as a temporary solution.