SANS ISC recently found attackers trying to take advantage of the Remote Code Execution Vulnerability in the Oracle Weblogic Server, CVE-2020-14882-oracle weblogic attack.
It was an unauthenticated vulnerability in the Console Component of the Server. Being a part of Oracle’s Fusion Middleware Portfolio, Oracle Weblogic is a popular Java EE application server.
Due to the attack & the unprecedented consequences of it, SANS ISC has urged all the Oracle Weblogic users to patch the vulnerability as soon as possible. If patching isn’t possible, one must at least take the required mitigation efforts. Even though mitigation cannot be as efficient as patching, it can still be called helpful.
What you need to know about the Oracle Weblogic attack
The above-mentioned vulnerability, CVE-2020-14882 is trivial to exploit, especially considering the available PoC that was made public via a researcher called Jang. The most affected versions of Oracle Weblogic Server include the following five –
- 12.1.3.0.0
- 12.2.1.4.0
- 12.2.1.3.0
- 14.1.1.0.0
- 10.3.6.0.0
Another cybersecurity researcher by the name of Voidfyoo of Chaitin Security Research Lab recently published a report. This report claims that in October, Oracle had fixed the vulnerability with their released Critical Patch Update. Besides this, Honeypots were also set up by the SANS Technology Institute to detect any attacks. These honeypots were set up not late after the CVE-2020-14882 exploit code went public.
The active exploitation of the vulnerability was initially noticed by the SANS ISC. They confirmed the reports of exploitation due to the publicized PoC, while also giving evidence for active exploitation. Owing to this, one can expect that more attacks can come into light within the organizations as well as on the public internet.
The only silver lining in this whole scenario is that the IP Addresses that were used to exploit the honeypots have been detected. The SANS Institute has found that the following IP Addresses have been used in the attacks.
- 185.225.19.240
- 84.17.37.239
- 139.162.33.228
- 114.243.211.182
These IP Addresses can be traced down to locations such as Moldova (MivoCloud), Hong Kong (DataCamp Ltd.), the United States of America (Linode) and China. The SANS Institute is doing their best to alert the respective internet providers regarding the exploitations from these addresses.
Mitigation efforts to take
As mentioned above, SANS ISC has warned the users of Oracle Weblogic to do their best at patching the vulnerability at the earliest or at least mitigate it. Since patching the vulnerability might not be a possible scenario for everyone, they can opt for the following mitigation efforts.
- Make sure that the administrator entrance isn’t presented to the public web. This can work as a fractional relief by hindering access to the administrator gateway (TCP port 7001 by default).
- Review application logs for HTTP requests that incorporate the dual-encoded path crossing %252E%252E%252F and the admin console.portal in the request URI.
- Screen network traffic for dubious HTTP demands if possible.
- Screen for any dubious cycles made by the application, for example, cmd.exe or/canister/sh.
Also read,
Though these mitigation efforts can make things better for time being, one must always remember they will never be as effective as a patch, which is the only complete solution for this problem. This vulnerability is one that needs to be fixed at the earliest, lest it damages the data for a large number of users.
