Active exploitation of the Oracle WebLogic Server RCE vulnerability (CVE-2020-14882)

By Bhabesh Raj Rai, Associate Security Analytics Engineer

The October release of Oracle’s quarterly Critical Patch Update (CPU) fixed a total of 402 vulnerabilities across its various product families. More than half of the vulnerabilities were remote exploitable that did not require authentication. One of the vulnerabilities, CVE-2020-14882, is an RCE flaw in the WebLogic server and has a CVSS score of 9.8 out of 10. Published PoC exploits show that attackers are actively exploiting the CVE-2020-14882 vulnerability using honeypots.

According to Oracle, the attack complexity is low, requires no privileges, and attackers can exploit it via HTTP. The versions affected by this vulnerability are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. A simple Shodan scan on November 4 discovered around 3,000 WebLogic Console endpoints on HTTP port 7001.

One week after the patch release, Johannes B. Ullrich of SANS, said that based on honeypot telemetry, cybercriminals are now actively exploiting the vulnerability from a total of four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239. Ullrich noted that the exploit, which consists of a single GET request, is based on a Vietnamese blog posted on October 28, 2020.

Security researcher Kevin Beaumont tweeted how attackers can exploit the flaw via a POST request.

As reported in the ISC diary by Ullrich, attackers can easily exploit the vulnerability by a single GET request. LogPoint can detect the exploit attempt by searching for admin portal console.portal in the request URL.

(url = "*console.portal*exec(*" OR resource = "*console.portal*exec(*")

Also, it is important to review logs for HTTP requests that include the double-encoded path traversal %252E%252E%252F, which may indicate an exploitation attempt.

(url = "*%252E%252E%252F*" OR resource = "*%252E%252E%252F*")

Not to forget, LogPoint can also alert on any network activity from the 4 IP addresses provided in the ISC diary that attackers are using to actively exploit the honeypots.

(device_category=Firewall OR device_category=ProxyServer) (source_address IN [114.243.211.182, 139.162.33.228, 185.225.19.240, 84.17.37.239] OR destination_address IN [114.243.211.182, 139.162.33.228, 185.225.19.240, 84.17.37.239])

If you suspect that your server is already compromised, it is better to monitor child process creations by command prompt and PowerShell to detect any successful remote code executions.

norm_id=WinServer label="Process" label=Create parent_process IN ["*\cmd.exe", "*\powershell.exe"]

Attackers are continuing to bombard Oracle WebLogic servers with critical exploits from the critical deserialization vulnerability (CVE-2019-2725), which was used to spread the Sodinokibi ransomware to another critical RCE flaw (CVE-2019-2729). Both vulnerabilities were actively exploited in the wild.

We highly advise that Oracle WebLogic Server users update their systems as soon as possible. It should be noted that for attackers to succeed with the exploit from the Internet, the admin console, normally on port 7001, needs to be exposed externally. However, insider threats lurking inside the enterprise could exploit the flaw, so we recommend that system administrators patch their systems.