A deserialization vulnerability in Oracle WebLogic has been disclosed by multiple 3rd party researchers and organizations. The vulnerability allows unauthenticated attackers to compromise WebLogic server via T3 protocol. The affected component is WLS Core components. Upon successful exploitation an attacker can take over the target server via remote code execution .CVE-2018-2893 has been assigned to track this vulnerability. Oracle has addressed this issue in July critical patch updates. . Below are the affected versions.
- WebLogic 10.3.6.0
- WebLogic 12.1.3.0
- WebLogic 12.2.1.2
- WebLogic 12.2.1.3
Vulnerability
As mentioned in the earlier section, it is a destabilization vulnerability. A similar issue, CVE-2018-2628 was addressed by Oracle in April Critical Patch Updates. The issue was fixed by blacklisting sun.rmi.server.UnicastRef. This fix is bypassed in CVE-2018-2893. Attackers can serialized weblogic.jms.common.StreamMessageImpl to bypass the blacklist and call RMI classes when it is deserialized.
Exploitation
NetLab@360 have reported that CVE-2018-2893 is being exploited to deploy XMRig (open sourced cryptominer) cryptominer on WebLogic servers, the attacks were noticed after Oracle released the July advisory. Aslo a PoC for exploiting CVE-2018-2893 is available online.
Mitigation
We request organizations to apply the latest patches from Oracle to address this vulnerability. Qualys customers can scan their network using QID:87338 for detecting vulnerable targets.
Please continue to follow Qualys Threat Protection for information on this vulnerability.
References
CVE-2018-2893: Oracle WebLogic Server Remote Code Execution Vulnerability
Oracle Critical Patch Update Advisory – July 2018
Weblogic Exploit Code Made Public (CVE-2018-2893)
Malicious Campaign luoxk Is Actively Exploiting CVE-2018-2893