Oracle logo

For more than a week hackers have started scanning the Internet, searching for machines running Oracle WebLogic servers.

Scans started after April 17, when Oracle published its quarterly Critical Patch Update (CPU) security advisory.

The April 2018 CPU contained a patch for CVE-2018-2628, a vulnerability in the WLS core component of WebLogic, a Java EE application server.

This security issue received a severity score of 9.8 out of 10 because it could allow attackers to execute code on remote WebLogic servers without needing to authenticate.

PoC published online last week

The flaw was discovered and reported by Liao Xinxi of NSFOCUS Security Team and an independent security researcher named loopx9.

A day after the Oracle patches, Xinxi published a blog post on a Chinese social network, explaining how the vulnerability works. Leveraging this info, a user named Brianwrf created and released proof-of-concept (PoC) code on GitHub that could exploit this flaw.

The publishing of a fully-weaponized PoC led to an immediate spike in scans for port 7001, the port running the vulnerable WebLogic "T3" service.

Oracle WebLogic scans on port 7001
Source: SANS ISC
Scans for port 7001
Source: Netlab

Cyber-security firm GreyNoise, the one who first spotted the port 7001 scan spike, said at the time that "opportunistic exploitation has not yet been confirmed," meaning crooks were only scanning the web to look for vulnerable machines, merely to assess the total pool of exploitable machines.

We have asked the GreyNoise team to keep Bleeping Computer informed of the first signs of hackers moving in to capitalize this flaw for actual intrusions.

But while we have not heard back from GreyNoise during the past week, things got worse over the weekend, but for different reasons.

Oracle CVE-2018-2628 patch is incomplete

According to an Alibaba Cloud engineer, Oracle appears to have botched the CVE-2018-2628 patch, and there's a way to bypass the April 2018 patch and exploit the flaw even on supposedly patched WebLogic systems.

According to infosec sleuth Kevin Beaumont, this is because Oracle didn't fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. The problem, according to Beaumont, is that Oracle engineers appear to have missed one or more commands.

For now, Beaumont is recommending that companies block incoming connections on port 7001 until Oracle issues another —hopefully working— CVE-2018-2628 patch. Admins should heed Beaumont's advice since hackers are expected to ramp up scans and even move to active exploitation after the news of Oracle incomplete patch spreads around.

Related Articles:

Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs

New MassMiner Malware Targets Web Servers With an Assortment of Exploits

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers

Microsoft Edge Bug Exposes Content From Other Sites via HTML5 Audio Tag

Vendor Patches Seven Vulnerabilities Across 392 Camera Models