Zero-Day vulnerability in Oracle WebLogic servers

A new Oracle WebLogic server zero-day vulnerability is being exploited in the wild, reported vulnerability testing specialists. The company has already been notified of the flaw, although the corrections are likely to come a little further, as Oracle had just released its quarterly update package a couple of days before receiving the vulnerability report.

Vulnerability testing specialists consider it unlikely that Oracle will release new updates before the third quarter of the year, so at least 36k WebLogic servers will remain exposed until the launch of the July update, so WebLogic implementation managers will have to resort to workarounds until the company decides to update.

Zoomeye developers, a search engine similar to Shodan IP browser, were responsible for reporting the vulnerability last weekend. As reported, hackers are directing their attacks against WebLogic servers running two components: WLS9_ASYNC (which adds support for server operations) and WLS-WSAT (server security component). The vulnerability, present in both components, could cause malicious code deserialization, allowing hackers to take control of the targeted system.

As a protection measure, vulnerability testing experts recommend that WebLogic implementation managers delete the compromised components and restart the servers; setting firewall rules to restrict requests to exploited in attacks URL paths ( /_async/* and / wls-wsat/*) is also a functional solution.

Some WebLogic server administrators claim that, for now, attackers are only executing a benign exploit in vulnerable deployments for the purpose of analyzing/testing the flaw; in other words, hackers still don’t try to inject malware or run malicious tasks on compromised hosts.

Specialists from the International Institute of Cyber Security (IICS) claim that WebLogic servers are part of the most targeted implementations by threat actors nowadays. In previous opportunities, hacker groups managed to extract over $200k USD in Monero cryptocurrency exploiting a known vulnerability in WebLogic present in the WSL-WSAT component.