Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

Reference:
Advisory #2018-022

Version:
1.0

Affected software:
WebLogic versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3

Type:
RCE / Remote Code Execution

CVE/CVSS:
CVE: CVE-2018-2893
CVSS: 9.8

Sources

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/
https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogic-servers-detected-after-publication-of-poc-code/

Risks

Successful exploitation of this vulnerability can result in a takeover of the entire Oracle WebLogic Server without having to know its password. Several proofs of concepts have been published and there are reports of successful attacks.

Description

This vulnerability allows an unauthenticated attacker with network access and using the Oracle T3 protocol to compromise the WebLogic Server. This vulnerability is registered as CVE-2018-2893 and has received a "critical" status and a severity score of 9.8 on the CVSSv3 scale due to its consequences, remote exploitation factor, and ease of exploitation. Details about this vulnerability were never made public, and Oracle released patches for this bug on July 18, last week. However, since then, several proofs of concept have been published and attackers have started to automate and use these POCs.

Recommended Actions

CERT.be recommends users to always keep their systems up to date. Patches can be downloaded at the following address: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CERT.be recommends users to limit the access to port 7001 to systems needing it.