Vulnerability Notification: Oracle WebLogic Server deserialization

[Overview]

Oracle WebLogic is an enterprise multi-layer application server based on Java architecture. It is commonly used to develop, integrate, deploy, and manage web applications and database applications. Recently, Oracle repaired a high-risk WebLogic Server deserialization vulnerability.

[Vulnerability Details]

CVE-2018-2628: This vulnerability is due to the deserialization of suspicious data in T3 requests. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted Unicast object request to a vulnerable server. If the vulnerability is exploited successfully, the JRMP session will be used between the target server and the controlled server. The attacker can use the malicious deserialization object to interact with the target server to implement remote code execution.

Vulnerability Source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2628

[Severity]

Critical

[Affected Version]

  • Oracle WebLogic Server 10.3.6.0
  • Oracle WebLogic Server 12.1.3.0
  • Oracle WebLogic Server 12.2.1.2
  • Oracle WebLogic Server 12.2.1.3

[Suggestions]

Prevent WebLogic Server from communicating with suspicious network through port 7001

Update the bug fix release provided by Oracle to eliminate the damage caused by the vulnerability

Official statement: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

[Hillstone Networks Solution]

Hillstone Networks has added signatures to the IPS signature database version 2.1.238. By deploying any Hillstone Networks solution with the IPS function, the WebLogic Server deserialization vulnerability can be quickly detected and effectively intercepted, preventing the server from being attacked.

Threat Events Detected by Hillstone Solutions

Vulnerability Detail Description