In this article, we will cover the latest vulnerability of Oracle’s WebLogic Server, which is one of the serious remote code vulnerabilities. CVE-2023-21839, which targets WebLogic Server, a Java web application server developed by Oracle, was first mentioned about three months ago as a vulnerability that could be exploited by RCE (Remote Code Execution). As it is a global service that develops and provides database management systems and related hardware, software, and cloud systems, large-scale customers such as corporations and government agencies have been affected.  

Oracle RCE Vulnerability Emerged as a Critical Issue

In October 2020, a Vietnamese security researcher discovered a vulnerability in a WebLogic Server product and released detailed technical information about how easy it is easy to exploit. Various media outlets have reported on the vulnerability CVE-2020-14882, and Oracle officially acknowledged the discovery of the critical WebLogic Server vulnerability and developed a patch. On the other hand, active exploit attacks have rapidly increased since the patch.

Oracle’s official announcement of the emergency security patch at the time
Oracle’s official announcement of the emergency security patch at the time

Oracle said the vulnerable WebLogic software could execute arbitrary code on a victim’s server without going through an authentication process, thus recommending applying the patch as soon as possible. Two and a half years after the release of the security update patch, we checked with Criminal IP, a threat intelligence search engine, to see if any servers are still exposed to this vulnerability. 

Search Query: cve_id : CVE-2020-14882

Search results for servers exposed to the CVE-2020-14882 vulnerability
Search results for servers exposed to the CVE-2020-14882 vulnerability

In Asset Search, you can check the status of country information, open port, services, AS names, and products by IP only by searching for vulnerabilities. And through this information, you can check open ports that violate security policies and whether there are vulnerable IPs.  

About Oracle WebLogic 

This time, we will dig deeper into the IP addresses using Oracle WebLogic Server that are detected by Asset Search’s Product filter, rather than specific vulnerabilities. 

Search Query: product: Weblogic server

IP address search results using Oracle WebLogic Server
IP address search results using Oracle WebLogic Server
Country statistics for Oracle WebLogic Server
Country statistics for Oracle WebLogic Server

The United States, China, and Japan, Oracle’s main customer countries, naturally took the top 1, 2, and 3 spots. Of course, the state of countries using WebLogic Server is not the same as the state of countries exposed to Oracle RCE vulnerabilities. For example, you can notice that Japan, which uses the third most WebLogic servers, is excluded from the graph of countries exposed to vulnerabilities shown above. This can be interpreted as an effort to reduce the leakage of sensitive information or damage to large-scale customers such as corporations and government agencies through cybersecurity reinforcement, regular inspection, and patch application.

Port statistics using Oracle WebLogic Server
Port statistics using Oracle WebLogic Server

Most websites use Port 443 and Port 80 to establish a secure connection, encrypt data, or connect to the required web server. Depending on the user’s customization, Port 8000 and Port 8080 are often used for specific applications, development, and testing purposes.

The port to note here is Port 7001, which is mainly used by WebLogic Server. In 2018, a serious vulnerability called CVE-2018-2628 (RCE Using Java Deserialization Vulnerability) was discovered, but Oracle didn’t patch it in the near future. As a temporary measure to address the possibility of patch bypass, Oracle had previously recommended that access control, such as through a firewall, be implemented to ensure that only authorized systems and administrators can access the vulnerability-affected service port (7001).

Oracle WebLogic RCE Attack Prevention Checklist and Vulnerability Detection

  1. Using the latest version of the WebLogic application:
    • Use the latest version of the WebLogic application and apply the security patch that addresses the vulnerability.
    • Check and apply security patches and updates through Oracle’s official site.
  2. External access restrictions:
    • Block external access to WebLogic Server.
    • Minimize access permissions so that only those who need it can access it.
    • Manage secure access by utilizing user authentication and authorization functions.
  3. Web Firewall Settings:
    • A web firewall is installed in front of the WebLogic server to block malicious traffic.
    • Install a web firewall in front of your WebLogic server to block malicious traffic.
  4. WebLogic Monitoring:
    • Monitor weblogs in real time to detect unknown access or malicious behavior.
    • Take measures and respond quickly when abnormal behaviors are detected.

If you follow the checklist and methods above, you can prepare for Oracle Web Logic’s RCE attack, and you can prevent it in advance by monitoring the database of vulnerabilities disclosed on the Internet through the Criminal IP search engine.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]

Data Source: Criminal IP (https://www.criminalip.io)

Related Article:

Detect Citrix Vulnerabilities With the OSINT Tool: CVE-2022-27510, CVE-2022-27518