Oracle WebLogic

On April 17, Oracle released its April 2018 Critical Patch Update (CPU), patching a vulnerability, CVE-2018-2628, in the WLS core component for versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware), a Java EE application server. Successful exploitation of this vulnerability could allow threat actors to execute remote code without authenticating to the system. A day later, a researcher who discovered the vulnerability published a blog post detailing how the vulnerability works. Shortly thereafter, proof-of-concept (PoC) code was posted to GitHub that could be used to exploit the vulnerability. Almost instantly, there was a spike in scans for port 7001, the port used by vulnerable WebLogic “T3” servers and threat actors began infecting vulnerable servers with malware. Furthermore, an Alibaba Cloud engineer discovered that the patch provided for CVE-2018-2628 can be bypassed, leaving even patched systems vulnerable. The NJCCIC recommends all users and administrators of Oracle WebLogic servers review the CPU security advisory for more details and, until a complete patch is released by Oracle, block incoming connections on port 7001 for affected servers.