Hackers began targeting Oracle WebLogic Server computers after April 17. At the time, Oracle released its quarterly Critical Patch Update (CPU) security advisories.
Oracle has released a patch for the CVE-2018-2628 vulnerability, and in WebLogic, a patch for a vulnerability in the WLS core component of the Java EE application server.
This vulnerability is high risk because it could allow an attacker to execute code on a remote WebLogic server without authenticating.
PoC released last week
The vulnerability was discovered and reported by Xinxi Liao of the NSFOCUS Security Team and an independent security researcher named loopx9. The day after the Oracle patch was released, Xinxi published a blog post on Chinese social networks explaining how the vulnerability worked. A user named Brianwrf created and published proof-of-concept (PoC) code on GitHub that exploits the flaw.
Immediately after the release of the fully weaponized proof-of-concept (PoC) code, scans spiked on port 7001, which runs the vulnerable WebLogic "T3" service.
Oracle CVE-2018-2628 patch is incomplete
According to Alibaba Cloud engineers, Oracle appears to have tampered with the CVE-2018-2628 patch, even giving hackers the opportunity to exploit the flaw on so-called patched WebLogic systems.
According to informaticist Kevin Beaumont, this is because Oracle did not define the WebLogic problem at its core, but blacklisted the commands used to develop the chain. According to Beaumont, the problem appears to stem from Oracle engineers missing one or more commands.
For now, Beaumont advises companies to block incoming links on port 7001 until Oracle releases another - well-run patch for CVE-2018-2628. Administrators should heed Beaumont's advice, as hackers are expected to ramp up their efforts to target WebLogic Server after news of Oracle's incomplete patch spread.
From: bleepingcomputer