{"id":21919,"date":"2023-05-03T16:11:01","date_gmt":"2023-05-04T00:11:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/05\/03\/news-15650\/"},"modified":"2023-05-03T16:11:01","modified_gmt":"2023-05-04T00:11:01","slug":"news-15650","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/05\/03\/news-15650\/","title":{"rendered":"Oracle WebLogic Server vulnerability added to CISA list as \u201cknown to be exploited\u201d"},"content":{"rendered":"<p>On May 1, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"nofollow\">Known Exploited Vulnerabilities Catalog<\/a>, based on evidence of active exploitation.<\/p>\n<p>This means that Federal Civilian Executive Branch (FCEB) agencies are obliged to remediate the vulnerabilities by May 22, 2023. For the rest of us it means &#8220;pay attention,&#8221; everyone else with a vulnerable entity should do this as fast as possible too.<\/p>\n<p>The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added by CISA were:<\/p>\n<ul>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-1389\" target=\"_blank\" rel=\"nofollow\">CVE-2023-1389<\/a> is a vulnerability in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Affected versions contain a command injection vulnerability in the country form of the <span style=\"background-color: #ffffff; color: #ff0000;\">\/cgi-bin\/luci;stok=\/locale<\/span> endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to <span style=\"color: #ff0000;\">popen()<\/span>, allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45046\" target=\"_blank\" rel=\"nofollow\">CVE-2021-45046<\/a> is a very old Apache <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/12\/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend\">Log4j2<\/a>&nbsp;deserialization of untrusted data vulnerability that still works on enough unpatched servers to be listed.<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=&bull;%20CVE-2023-21839\" target=\"_blank\" rel=\"nofollow\">CVE-2023-21839<\/a> affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to &#8220;critical data or complete access to all Oracle WebLogic Server accessible data.&#8221; <\/li>\n<\/ul>\n<p>We would like to zoom in on that last vulnerability for a few reasons.<\/p>\n<ul>\n<li>First of all because Oracle WebLogic is a very&nbsp;wide-spread java application server and has always been a <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\">popular entrance<\/a> to networks for cybercriminals.<\/li>\n<li>The vulnerability is easily exploitable. Even for copycats, since there are proof-of-concepts (PoCs) available and exploits are incorporated in pen-testing tools.<\/li>\n<li>The scope of the vulnerability. There is a real risk that a remote, unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, and turn to the rest of the internal network.<\/li>\n<\/ul>\n<p>Oracle WebLogic Suite is an application server for building and deploying enterprise Java EE applications which is fully supported on Kubernetes. That makes it easy to use on-premises or in the cloud. The companies using Oracle WebLogic are most often found in United States and in the Information Technology and Services industry.<\/p>\n<p>In <a href=\"https:\/\/www.oracle.com\/security-alerts\/cpujan2023.html\" target=\"_blank\">Oracle&rsquo;s January security advisory<\/a> you will notice that five researchers are credited with finding and reporting CVE-2023-21839. This may be due to the fact that Oracle issues patches in a quarterly cycle, where many others publish updates monthly. This means that researchers have more time to find new vulnerabilities, but they also have to keep quiet about them for longer. N<span data-dobid=\"hdw\">evertheless,<\/span> five separate instances could indicate that this vulnerability was not hard to find.<\/p>\n<p>What&rsquo;s even worse is that it is easy to exploit the vulnerability. The published exploits target the Listen Port for the Administration Server. The protocol used with this port is T3&mdash;Oracle&rsquo;s proprietary Remote Method Invocation (RMI) protocol, which transfers information between WebLogic servers and other Java programs. An unauthorized attacker with remote access can send a crafted request to a vulnerable WebLogic server and upload a file via an LDAP server. Basically allowing the attacker to execute reverse shells on the target. A reverse shell or &ldquo;connect-back&rdquo; shell opens communications with the attacker and allows them to execute commands, which enables them to take control of the system.<\/p>\n<h2>Update now<\/h2>\n<p>Affected versions of Oracle WebLogic Server are 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. A patch for this vulnerability is available on the <a href=\"https:\/\/support.oracle.com\/rs?type=doc&amp;id=2917213.2\" target=\"_blank\">Oracle support site<\/a> for those that have an Oracle account.<\/p>\n<p>Oracle always strongly recommends that you do not expose non-HTTPS traffic (T3\/T3s\/LDAP\/IIOP\/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.<\/p>\n<hr \/>\n<p><strong>We don&rsquo;t just report on vulnerabilities&mdash;we identify them, and prioritize action.<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">Malwarebytes Vulnerability and Patch Management<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/05\/oracle-weblogic-server-vulnerability-added-to-cisa-list-as-known-to-be-exploited\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: Oracle<\/p>\n<p>Tags:  WebLogic<\/p>\n<p>Tags:  CVE-2023-21839<\/p>\n<p>Tags:  CVE-2023-1389<\/p>\n<p>Tags:  CVE-2021-45046<\/p>\n<p>Tags:  CISA<\/p>\n<p>Tags:  reverse shell<\/p>\n<p>An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/05\/oracle-weblogic-server-vulnerability-added-to-cisa-list-as-known-to-be-exploited\" title=\"Oracle WebLogic Server vulnerability added to CISA list as \u201cknown to be exploited\u201d\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/05\/oracle-weblogic-server-vulnerability-added-to-cisa-list-as-known-to-be-exploited\">Oracle WebLogic Server vulnerability added to CISA list as \u201cknown to be exploited\u201d<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23583,29286,29285,29284,22783,32,11548,29287,21152],"class_list":["post-21919","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cisa","tag-cve-2021-45046","tag-cve-2023-1389","tag-cve-2023-21839","tag-exploits-and-vulnerabilities","tag-news","tag-oracle","tag-reverse-shell","tag-weblogic"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21919"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21919\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21919"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}