Following a botched patch Oracle published earlier this month on Java Deserialization vulnerability in its WebLogic server, aggressive scanning attempts were observed across the internet for enumerating machines running Oracle WebLogic servers.
Following a botched patch Oracle published earlier this month on Java Deserialization vulnerability in its WebLogic server, aggressive scanning attempts were observed across the internet for enumerating machines running Oracle WebLogic servers. There was a large spike in devices scanning the Internet for TCP port 7001 beginning last week. This activity corresponds directly with the disclosure and weaponization of Oracle WebLogic CVE-2018-2628 
The bug in question, CVE-2018-2628, a critical vulnerability in the WLS core component of WebLogic, a Java EE application server, was known to be fixed in April 2018 CPU (Critical Patch Update). Over the weekend, @pyn3rd (Twitter bio claims to be “Security researcher at Alibaba Cloud), tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC). #CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately, the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj— pyn3rd (@pyn3rd) April 28, 2018How could this be? From @pyn3rd again:there is the difference, just use replace pic.twitter.com/xeH0Ck86G3— pyn3rd (@pyn3rd) April 29, 2018 According to InfoSec Pro Kevin Beaumont, this is because Oracle didn't fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. In this case, they have missed one or more commands. Till date, the attempts were only for enumerating the volume of WebLogic servers across the web, but an active exploit could allow a remote attacker to completely take over the affected WebLogic Server. Affected Versions
The bug in question, CVE-2018-2628, a critical vulnerability in the WLS core component of WebLogic, a Java EE application server, was known to be fixed in April 2018 CPU (Critical Patch Update). Over the weekend, @pyn3rd (Twitter bio claims to be “Security researcher at Alibaba Cloud), tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC). #CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately, the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj— pyn3rd (@pyn3rd) April 28, 2018How could this be? From @pyn3rd again:there is the difference, just use replace pic.twitter.com/xeH0Ck86G3— pyn3rd (@pyn3rd) April 29, 2018 According to InfoSec Pro Kevin Beaumont, this is because Oracle didn't fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. In this case, they have missed one or more commands. Till date, the attempts were only for enumerating the volume of WebLogic servers across the web, but an active exploit could allow a remote attacker to completely take over the affected WebLogic Server. Affected Versions- WebLogic Server 10.3.6.0.0
- WebLogic Server 12.1.3.0.0
- WebLogic Server 12.2.1.1.0
- WebLogic Server 12.2.1.2.0
Read more on: Warning! Multiple Severe Vulnerabilities Discovered in PHP