New Oracle WebLogic zero-day discovered in the wild

Chinese cyber-security firm warns about impending attacks on Oracle WebLogic servers.

Oracle WebLogic

Security researchers have spotted a new zero-day vulnerability impacting the Oracle WebLogic server that is currently being targeted in the wild.

Oracle has been notified of the zero-day, but the software maker just released its quarterly security patches four days before this zero-day's discovery.

Because the company releases security updates every three months, an update to address this issue won't be released for three more months, until July.

In the meantime, over 36,000 publicly accessible WebLogic servers will remain vulnerable to attacks, and server owners will have to deploy workarounds to counteract any possible breaches.

The zero-day

The zero-day was first spotted on Sunday, April 21, by KnownSec 404, the company behind ZoomEye, a search engine for discovering internet-connected devices.

The company says that attackers are targeting Oracle WebLogic servers running the WLS9_ASYNC and WLS-WSAT components. The first component adds support for server asynchronous operations, while the second is the server's security component.

A vulnerability exists in these two that can trigger the deserialization of malicious code that allows a hacker to take over the targeted system.

To prevent attacks, KnownSec 404 is recommending that companies either remove the vulnerable components and restart their WebLogic servers, or put firewall rules in place to prevent requests being made to two URL paths exploited by the attacks ( /_async/* and /wls-wsat/*).

Only scans, no exploitation

special feature

Cybersecurity in an IoT and Mobile World

The technology world has spent so much of the past two decades focused on innovation that security has often been an afterthought. Learn how and why it is finally changing.

Read More

Several sources in the cyber-security community have told ZDNet that attackers are only scanning for WebLogic servers and using a benign exploit to test the vulnerability, but they are not attempting to drop malware or run malicious operations on vulnerable hosts just yet.

Additional confirmation for these attacks also came from public sources, such as Waratek and F5 Labs.

Activity on this front is bound to change in the upcoming weeks, with hackers moving from scanning and probing vulnerable servers to full-on attacks.

History has proven that WebLogic servers are some of the most sought after servers by hackers today.

For example, a hacker group made over $226,000 worth of Monero in late 2017 by exploiting CVE-2017-10271, another Oracle WebLogic flaw, also impacting the WSL-WSAT component.

Other attacks have also been detected aimed at CVE-2018-2628 and CVE-2018-2893, another set of Oracle WebLogic flaws.

Over the past year and a half, Oracle WebLogic servers have been targeted incessantly, especially by criminal groups engaged in crypto-mining operations. CVE-2017-10271, above all, has remained one of their favorite exploits.

This is because Oracle WebLogic servers usually have access to huge amounts of resources, but also because they are extremely popular, making them easy to find and a prime target for any hacker.

In addition, because WebLogic servers are often deployed in enterprise networks or for running intranets or other public-facing enterprise apps, any compromise of a WebLogic server can easily turn into a catastrophic hack, with intruders gaining access to a wealth of business-sensitive information.

Update, April 26: Today, Oracle issued a rare out-of-band security update to address this vulnerability, which was assigned the CVE-2019-2725 identifier. Oracle WebLogix server owners are advised to patch as soon as possible.

More vulnerability reports: