How to Prevent Oracle WebLogic Server Vulnerability

by Stephen la Rocca

by Stephen la Rocca

Business Development, PITSS GmbH

The US IT security company Greynoise is currently reporting heavily increased scanning activity for vulnerable WebLogic servers.

Although there are already updates available for these which apparently can already be bypassed by the attackers, the updates do not solve the crux of the problem. Particularly critical seems to be the vulnerability with the identifier CVE-2018-2628.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">GreyNoise has observed a large spike in devices scanning the Internet for TCP port 7001 beginning last week on 4/16/18. This activity corresponds directly with the disclosure (4/18/2018) and weaponization (4/18/18) of Oracle WebLogic CVE-2018-2628. Ref: <a href="https://t.co/3qdeQSF59T">https://t.co/3qdeQSF59T</a></p>— GreyNoise Intelligence (@GreyNoiseIO) <a href="https://twitter.com/GreyNoiseIO/status/988685136035307520?ref_src=twsrc%5Etfw">April 24, 2018</a></blockquote><!-- [et_pb_line_break_holder] --><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script><!-- [et_pb_line_break_holder] --><style type="text/css"><!-- [et_pb_line_break_holder] -->.entry-content .twitter-tweet-rendered {<!-- [et_pb_line_break_holder] --> max-width: 100% !important;<!-- [et_pb_line_break_holder] -->}<!-- [et_pb_line_break_holder] --></style>

Close the vulnerability and block TCP port 7001

If you use Oracle WebLogic Server, you should definitely take action. On one hand, the latest version must be installed as soon as possible. That alone does not seem to be enough.

Security researcher Kevin Beaumant warns that the most recent patch did not close the actual vulnerability, but merely blacklisted certain commands. Therefore, it is important to additionally block TCP port 7001 in order to avoid external access.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Oh dear. There’s a zero day in Oracle WebLogic because the April patch didn’t fix the issue properly. Mitigation: make sure port 7001 TCP is blocked inbound to your Fusion stack boxes. <a href="https://t.co/EqjqMwzXNp">https://t.co/EqjqMwzXNp</a></p>— Kevin Beaumont (@GossiTheDog) <a href="https://twitter.com/GossiTheDog/status/990621460476649472?ref_src=twsrc%5Etfw">April 29, 2018</a></blockquote><!-- [et_pb_line_break_holder] --><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script><!-- [et_pb_line_break_holder] --><style type="text/css"><!-- [et_pb_line_break_holder] -->.entry-content .twitter-tweet-rendered {<!-- [et_pb_line_break_holder] --> max-width: 100% !important;<!-- [et_pb_line_break_holder] -->}<!-- [et_pb_line_break_holder] --></style>

If you’re looking for help updating, modernizing, and securing your vulnerable WebLogic server, contact PITSS today.