Oracle warns of WebLogic Server bug under active attack

Oracle warns that a vulnerability in WebLogic Server that has since been patched is being actively exploited. By exploiting the leak, it is possible, for example, to deploy cryptomalware or ransomware on a server.

Oracle warns in a patch update that WebLogic servers are under active attack. It is not known how many attacks are involved and on what kind of servers they are carried out. Worldwide there are tens of thousands of servers running the software.

Oracle implemented a patch in mid-April. That was, among other things, for vulnerability CVE-2020-2883. That vulnerability was in versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0 of the WebLogic Server. Oracle patched the vulnerability, which was given a vulnerability rating of 9.8 on a scale to 10 after Trend Micro discovered it. Many server administrators have not yet implemented the patch. A proof of concept of the bug is now online.

Attackers can exploit the vulnerability by sending an infected payload via Oracle’s proprietary T3 protocol. The attack occurs the moment the server unpacks the payload. According to Oracle, no user interaction is required to exploit the vulnerability. This allows hackers to take over a system.

Oracle warns that the vulnerability could be exploited to transmit malware, such as ransomware or cryptojackers. Because no user interaction is required, it would also be possible to automatically integrate such servers into botnets.

WebLogic Server has been attacked many times in the past. Oracle warns companies to update their software as soon as possible.