Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

Reference: CERT.be Advisory #2018-022
Version: 1.0
Affected software: WebLogic versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3
Type: Remote code execution vulnerability.
CVE: CVE-2018-2893
CVSS: 9.8

Sources

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiti...
https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogi...

Risks

Successful exploitation of this vulnerability can result in a takeover of the entire Oracle WebLogic Server without having to know its password. Several proofs of concepts have been published and there are reports of successful attacks.

Summary

This vulnerability allows an unauthenticated attacker with network access and using the Oracle T3 protocol to compromise the WebLogic Server. This vulnerability is registered as CVE-2018-2893 and has received a "critical" status and a severity score of 9.8 on the CVSSv3 scale due to its consequences, remote exploitation factor, and ease of exploitation. Details about this vulnerability were never made public, and Oracle released patches for this bug on July 18, last week. However, since then, several proofs of concept have been published and attackers have started to automate and use these POCs.

Recommend actions

CERT.be recommends users to always keep their systems up to date. Patches can be downloaded at the following address :
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CERT.be recommends users to limit the access to port 7001 to systems needing it.