New Oracle WebLogic vulnerability found in the wild

Security researchers have found a new zero day vulnerability that has an impact on the Oracle WebLogic server. The vulnerability is currently being abused in the wild. Oracle has been notified, but had released its three monthly security update four days before its discovery.

This means that an update with a solution for the vulnerability will not be available until July, according to ZDNet. Oracle only releases a security update once every three months. In the meantime, more than 36,000 publicly accessible WebLogic0 servers are vulnerable to attacks. Owners of the servers will have to use temporary solutions to prevent possible attacks.

The vulnerability was discovered on 21 April by KnownSec 404, the company behind ZoomEye. ZoomEye is a search engine for discovering Internet-connected devices. The company argues that attackers should focus their arrows on Oracle WebLogic servers that target WLS9-ASYNC and WLS-WSAT components. This first component supports asynchronous server operations. The second is a security component.

A vulnerability that exists in these two components can trigger the deserialization of malicious code. This allows a hacker to take over the system he has in mind.

Preventing attacks

To prevent attacks, KnownSec 404 recommends that companies or the vulnerable components remove and restart the WebLogic servers, or set up firewall rules to prevent requests from being made to two URL paths that are abused by the attacks. These are /_async/* and /wls-wsat/*.

Several sources in the cybersecurity community tell ZDNet that the attackers only scan on WebLogic servers and use an innocent exploit to test vulnerability. For the time being, they don’t try to place malware or run malicious operations on vulnerable hosts.

In all probability, activity in this area will change in the coming weeks. Hackers are likely to stop scanning and testing vulnerable servers and switch to full attacks.