How to Prevent Oracle WebLogic Server Vulnerability
by Stephen la Rocca
Business Development, PITSS GmbH
The US IT security company Greynoise is currently reporting heavily increased scanning activity for vulnerable WebLogic servers.
Although there are already updates available for these which apparently can already be bypassed by the attackers, the updates do not solve the crux of the problem. Particularly critical seems to be the vulnerability with the identifier CVE-2018-2628.
GreyNoise has observed a large spike in devices scanning the Internet for TCP port 7001 beginning last week on 4/16/18. This activity corresponds directly with the disclosure (4/18/2018) and weaponization (4/18/18) of Oracle WebLogic CVE-2018-2628. Ref: https://t.co/3qdeQSF59T— GreyNoise Intelligence (@GreyNoiseIO) April 24, 2018
Close the vulnerability and block TCP port 7001
If you use Oracle WebLogic Server, you should definitely take action. On one hand, the latest version must be installed as soon as possible. That alone does not seem to be enough.
Security researcher Kevin Beaumant warns that the most recent patch did not close the actual vulnerability, but merely blacklisted certain commands. Therefore, it is important to additionally block TCP port 7001 in order to avoid external access.
If you’re looking for help updating, modernizing, and securing your vulnerable WebLogic server, contact PITSS today.