The Oracle Critical Patch Update was released this month to mitigate multiple security vulnerabilities, but those who have not update their systems with this critical update wholly are under attack by hackers who are deliberately targeting all such non-updated systems. A remotely exploitable vulnerability labeled CVE-2018-2893 in the WLS core components is at the center of what the hackers are exploiting in the Oracle WebLogic Fusion Middleware. Affected versions include 10.3.6.0, 184.108.40.206, 220.127.116.11 and 18.104.22.168. The vulnerability has been graded 9.8 on the CVSS 3.0 scale which indicates the utmost criticality and risk of exploitation.
The vulnerability was collectively studied by five entities before being analyzed by the developers at Oracle. These five researchers were 0c0c0f, Badcode of Knownsec 404 Team, Liao Xinxi of NSFOCUS Security Team, Lilei of Venustech ADLab, and Xu Yuanzhen of Alibaba Cloud Security Team. The researchers reported that this vulnerability allows an unauthenticated malicious attacker to gain access to the network through the T3 protocol without the need for a password. This in turn compromises the security of the Oracle WebLogic Server entirely. Penetrating further, a hacker could gain full control of the server, integrate malware, steal information, and compromise the network through this route.
Several proofs of concept were derived for this vulnerability and many were removed from the internet as they instigated and inspired attempts by hackers to exploit the vulnerability in actuality. The first such exploit was just a few days ago on the 21st of July. Since then, many users shared the proof of concept online to spread awareness but it has only spread to more malicious hackers who have adapted it to cast exploitation attempts of their own. The number of exploits observed has steadily increased over the last few days. Two particular groups were found to exploit this vulnerability at a large and automated scale by the security researchers at ISC SANS and Qihoo 360 Netlab. These two groups are being studied and their attacks are being contained as best as possible.
The developers at Oracle urge server administrators to apply the latest patch update, especially the particular patch relevant to the CVE-2018-2893 vulnerability as there appears to be no other way to mitigate these severe attacks than to patch the security flaw through the update.