{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2018-018.pdf"
    },
    "title": "WebLogic Vulnerability Exploited In The Wild",
    "serial_number": "2018-018",
    "publish_date": "26-07-2018 15:00:00",
    "description": "Recently Oracle released patches for vulnerability CVE-2018-2893. This vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server. Exploits were published on GitHub and on other websites after the announcement of the security updates. There were reported attacks against vulnerable instances.",
    "url_title": "2018-018",
    "content_markdown": "---\ntitle: 'WebLogic Vulnerability Exploited In The Wild'\nversion: '1.0'\nnumber: '2018-018'\ndate: 'July 26, 2018'\n---\n\n_History:_\n\n* _26/07/2018 --- v1.0: Initial publication_\n\n# Summary\n\nRecently Oracle released patches for vulnerability CVE-2018-2893. This vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server.\nExploits were published on GitHub and on other websites after the announcement of the security updates. There were reported attacks against vulnerable instances.\n\n\n# Technical Details\n\n\nOn the 18th of July 2018, Oracle released patches for vulnerability CVE-2018-2893 with an assigned CVSS score of 9.8. [1]\n\nThe vulnerability allows an unauthenticated attacker to remotely take control of a WebLogic Server. [1]\n\nDetails about this vulnerability were never made public by Oracle but only the patches. Exploits were published on GitHub and on other websites after the announced of the security updates. [2],[3],[4],[5]\n\nThere were reported attacks against vulnerable instances. [6],[7]\n\n\n\n# Products Affected\n\nOracle WebLogic servers running versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are known to be vulnerable.\n\n\n\n# Recommendations\n\n* Apply the Oracle July 2018 updates as soon as possible, and especially the patches for CVE-2018-2893.\n* Block external access to port 7001 as the flaw is exploited via this port.\n* Use detection rules in monitoring devices as fore example sigma rule in [8].\n\n# References\n\n[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893>\n\n[2] <https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogic-servers-detected-after-publication-of-poc-code/>\n\n[3] <https://github.com/shengqi158/CVE-2018-2628>\n\n[4] <https://github.com/anbai-inc/CVE-2018-2893/>\n\n[5] <https://www.securityweek.com/recently-patched-oracle-weblogic-flaw-exploited-wild>\n\n[6] <https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/>\n\n[7] <http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>\n\n[8] <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/07/2018 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Recently Oracle released patches for vulnerability CVE-2018-2893. This vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server. Exploits were published on GitHub and on other websites after the announcement of the security updates. There were reported attacks against vulnerable instances.</p><h2 id=\"technical-details\">Technical Details</h2><p>On the 18th of July 2018, Oracle released patches for vulnerability CVE-2018-2893 with an assigned CVSS score of 9.8. [1]</p><p>The vulnerability allows an unauthenticated attacker to remotely take control of a WebLogic Server. [1]</p><p>Details about this vulnerability were never made public by Oracle but only the patches. Exploits were published on GitHub and on other websites after the announced of the security updates. [2],[3],[4],[5]</p><p>There were reported attacks against vulnerable instances. [6],[7]</p><h2 id=\"products-affected\">Products Affected</h2><p>Oracle WebLogic servers running versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are known to be vulnerable.</p><h2 id=\"recommendations\">Recommendations</h2><ul><li>Apply the Oracle July 2018 updates as soon as possible, and especially the patches for CVE-2018-2893.</li><li>Block external access to port 7001 as the flaw is exploited via this port.</li><li>Use detection rules in monitoring devices as fore example sigma rule in [8].</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogic-servers-detected-after-publication-of-poc-code/\">https://www.bleepingcomputer.com/news/security/attacks-on-oracle-weblogic-servers-detected-after-publication-of-poc-code/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/shengqi158/CVE-2018-2628\">https://github.com/shengqi158/CVE-2018-2628</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/anbai-inc/CVE-2018-2893/\">https://github.com/anbai-inc/CVE-2018-2893/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.securityweek.com/recently-patched-oracle-weblogic-flaw-exploited-wild\">https://www.securityweek.com/recently-patched-oracle-weblogic-flaw-exploited-wild</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/\">https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/\">http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/Neo23x0/sigma/blob/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml\">https://github.com/Neo23x0/sigma/blob/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}