A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned.
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. These servers are often targeted by attackers, whether for cryptocurrency mining or as a way into other enterprise systems.
About the vulnerability (CVE-2020-14882)
CVE-2020-14882 may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0, and has been patched by Oracle last week.
Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses.
For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.
“The exploit appears to be based on this blog post published in Vietnamese by ‘Jang’,” he added. (The researcher in question has previously flagged several flaws in Oracle’s offerings, though not this one.)
The exploit allows attackers to achieve RCE on a vulnerable Oracle WebLogic Server by sending one simple POST request.
A demonstration of the exploit in action is available here.
The PoC exploit was published yesterday, and it didn’t take long for attackers to take advantage of it. Admins are advised to patch vulnerable systems as soon as possible.