Oracle WebLogic Server Exploitation - 20240701004¶
Overview¶
TrendMicro have released an article announcing the active exploitation of vulnerabilities in Oracle WebLogic Server to deploy cryptocurrency miners via PowerShell Scripts. The method of exploitation uses a multi-stage loading technique utilising multiple CVEs in the product.
What is vulnerable?¶
| Products Affected. | CVE | CVSS | Severity | Summary |
|---|---|---|---|---|
| Oracle WebLogic Server | CVE-2023-21839 | 7.5 | High | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. |
| Oracle WebLogic Server | CVE-2017-3506 | 7.4 | High | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. |
What has been observed?¶
There is no evidence of active exploitation in the wild at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):