A new zero-day vulnerability has been found in the Oracle WebLogic server which is being targeted in the wild. The zero-day has been reported to Oracle and it was just few days ago that the company had already released their quarterly security patches.
Oracle normally releases security patches every three months and so a patch to address this zero-day will not be released in another three months until July.
It is estimated that around 36,000 publicly accessible WebLogic servers will be vulnerable to attacks, and the server owners must have to find some temporary fixes to avoid any possible breaches.
The zero-day was first discovered on April 21, by KnownSec 404 which is the company behind ZoomEye, a search engine for discovering internet-connected devices.
According to the company the attackers are targeting Oracle WebLogic servers running the WLS9_ASYNC and WLS-WSAT components. WLS9_ASYNC adds support for server asynchronous operations, while WLS-WSAT component is the server’s security component.
A vulnerability exists in these two components that can initiate the deserialization of malicious code that permits an attacker to take control over the targeted system.
In order to prevent attacks, KnownSec 404 suggests that the companies must either remove the vulnerable components and restart their WebLogic servers, or put proper firewall to prevent requests being made to two URL paths exploited by the attacks ( /_async/* and /wls-wsat/*).
According to reports from various sources it is known that the attackers only scan for WebLogic servers and uses a benign exploit to test the vulnerability. They do not try to insert malware or run malicious operations on vulnerable hosts as of now.
Confirmation of these attacks also came from public sources like Waratek and F5 Labs.
The attackers might change their activity in the upcoming weeks from scanning to full scale attacks. It is widely known that WebLogic servers are some of the most sought-after servers by hackers.
For instance, some hackers made over $226,000 worth of Monero in 2017 by exploiting CVE-2017-10271, another Oracle WebLogic flaw that also impacted the WSL-WSAT component.
Some other attacks were also detected aimed at CVE-2018-2628 and CVE-2018-2893, another set of Oracle WebLogic flaws.
Oracle WebLogic servers were largely targeted because they usually have access to huge amounts of resources. They are also popular and is easily found by the hackers making it a prime target.
Besides, WebLogic servers are often deployed in enterprise networks or for running intranets or other public-facing enterprise apps. Compromising a WebLogic server can become a catastrophic hack as the attackers have a great chance of attaining large sensitive business information.