Oracle warns of attacks against recently patched WebLogic security bug

Oracle patched the bug last month but attacks began after proof-of-concept code was published on GitHub.
Written by Catalin Cimpanu, Contributor

Enterprise software giant Oracle published an urgent security alert last night, urging companies that run WebLogic servers to install the latest patches the company released in mid-April.

Oracle says it received reports of attempts to exploit CVE-2020-2883, a vulnerability in its WebLogic enterprise product.

WebLogic is a Java-based middleware server that sits between a front-facing application and a database system, rerouting user requests and returning needed data. It is a wildly popular middleware solution, with tens of thousands of servers currently running online.

The CVE-2020-2883 vulnerability is a dangerous bug, which received a 9.8 score out of 10, on the CVSSv3 vulnerability severity scale.

The bug, which was privately reported to Oracle, allows a threat actor to send a malicious payload to a WebLogic server, via its proprietary T3 protocol.

The attack takes place when the server receives the data and unpacks (deserializes) it in an unsafe manner that also runs malicious code on the underlying WebLogic core, allowing the hacker to take control over unpatched systems.

Oracle says that no user authentication or interaction is needed to exploit this bug. This makes CVE-2020-2883 an ideal candidate for integration in automated web-based attack tools and botnet operations.

Oracle patched the bug during its quarterly security updates, released on April 14.

Current exploitation attempts appear to have started after proof-of-concept code to exploit the CVE-2020-2883 bug was published on GitHub a day later.

Oracle said that exploitation attempts against other vulnerabilities patched last month were also reported but the company highlighted the WebLogic vulnerability in particular.

This is because in recent years, hackers have constantly shown interest in weaponizing and exploiting WebLogic bugs [1, 2, 3, 4, 5, 6, 7, 8, 9] .

Hacking groups have been using these vulnerabilities to hijack WebLogic servers to run cryptocurrency miners or breach corporate networks and install ransomware.

CVE-2020-2883 will almost certainly join CVE-2019-2729, CVE-2019-2725, CVE-2018-2893, CVE-2018-2628, and CVE-2017-10271 as one of the most exploited WebLogic vulnerabilities in the wild.

All the major Intel vulnerabilities

Editorial standards