Your hacker Blog

Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild

Threat actors have started exploiting a critical vulnerability in Oracle WebLogin, tracked as CVE-2020-14882, in attacks in the wild.

Threat actors have started scanning the Internet for servers running vulnerable installs of Oracle WebLogic in the attempt of exploiting the a critical flaw tracked as CVE-2020-14882.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in this month’s release of Critical Patch Update (CPU).

The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab.

Security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.

According to Johannes Ullrich, Dean of Research at SANS, the attacks that targeted the honeypots were originated from the following IP addresses:

114.243.211.182 – assigned to China Unicom139.162.33.228 – assigned to Linode (U.S.A.)185.225.19.240 – assigned to MivoCloud (Moldova)84.17.37.239 – assigned to DataCamp Ltd (Hong Kong)According to the SANS expert, the exploit employed in the attacks appears to be based on the code published in this blog post by the researcher Jang.

“These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.” reads the post published by SANS.

SANS Institute is alerting the internet service providers operating the IP addresses involved in the attacks.

The exploit used by the attackers only probe the systems to determine if they are vulnerable.

#CVE-2020–14882 Weblogic Unauthorized bypass RCEhttp://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portalPOST:_nfpb=true&_pageLabel=&handle=https://t.co/jBUfUasQC1.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)https://t.co/nU8xkK30DU pic.twitter.com/uLiggjHnQG— Jas502n (@jas502n) October 28, 2020Searching on Spyse engine for Oracle WebLogic servers exposed online end potentially vulnerable to CVE-2020-14882 we can retrieve more than 3,000 installs.

Explore through 3.3k of IP addresses exposed to CVE-2020-14882 (Vulnerability in the Oracle WebLogic Server). Easy #BugBounty pic.twitter.com/WMLcKG6dV5— Dr.FarFar (@3XS0) October 29, 2020Administrators of Oracle WebLogic installs have to apply the patch for the CVE-2020-14882 vulnerability as soon as possible.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle WebLogic)

The post Critical Oracle WebLogic flaw CVE-2020-14882 actively exploited in the wild appeared first on Security Affairs.