10/29/2020 | News release | Distributed by Public on 10/29/2020 14:50
As if October 2020 hasn't been scary enough, Rapid7 Labs, the SANS Internet Storm Center (ISC), and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to CVE-2020-14882 (AttackerKB Analysis), which is an unauthenticated remote code execution (complete compromise) weakness in the Console component of Oracle WebLogic servers.
Before we sift through the candy loot bag of vulnerability and exploit details, we must pause and urge Oracle WebLogic Server customers to patch as soon as possible.
On Oct. 20, 2020, Oracle issued an advisory for CVE-2020-14882 in its quarterly critical patch update. The vulnerability is trivial to exploit, with a proof-of-concept (PoC) already available, courtesy of a researcher who goes by the handle Jang. The aforelinked Medium post is worth taking the time to translate and walk through, as it provides seriously detailed information on the path Jang took to eventually craft an exploit in a single HTTP GET request.
Affected WebLogic versions include:
Rapid7 Labs found just over 2,000 WebLogic Console endpoints on HTTP port 7001 today (Oct. 29, 2020) with a wide version distribution:
From this scan, it appears that 111 (220.127.116.11.0) are definitely vulnerable, with an additional 457 (10.3.6.0) potentially also vulnerable (while Oracle does include the version string in the HTML source it is not a precise version string, so some of these could be patched already).
The SANS Internet Storm Center was first to confirm that active exploitation is in progress, and Rapid7 Labs has also seen evidence of opportunistic attackers seeking out vulnerable WebLogic instances.
Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds.
Organizations running Oracle WebLogic Server should patch as quickly as possible. Those that are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well advised to break that cycle in favor of patching as soon as they can. Organizations that are unable to patch immediately should consider the following recommendations as partial mitigations, with the understanding that no mitigation is as effective as patching: