SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Notice: Monitoring services will be discontinued from March 31st, 2019.

This signature fires upon detecting attempts to exploit a command execution vulnerability in Oracle WebLogic. Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).  This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.  This signature detects attempts to exploit a remote code execution vulnerability in Oracle WebLogic server. Oracle WebLogic Server is prone to a remote security vulnerability in WLS Security. The vulnerability can be exploited over the 'HTTP' protocol.

CVSS Scores & Vulnerability Types

CVSS Score              5.0
Confidentiality Impact     None (There is no impact to the confidentiality of the system.)
Integrity Impact         None (There is no impact to the integrity of the system)
Availability Impact     Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity        Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication             Not required (Authentication is not required to exploit the vulnerability.)
Gained Access             None

Affected

This vulnerability affects the following supported versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Critical Patch Update Supported Products and Versions


Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

  • 3 Users Found This Useful
Was this answer helpful?

Related Articles

ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted

Notice: Monitoring services will be discontinued from March 31st, 2019. HTTP Basic...

ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY

Notice: Monitoring services will be discontinued from March 31st, 2019. XXE (XML External Entity...

ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie

Notice: Monitoring services will be discontinued from March 31st, 2019.   A new vulnerability...

ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)

Notice: Monitoring services will be discontinued from March 31st, 2019. Apache Struts is a free...

ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI

Notice: Monitoring services will be discontinued from March 31st, 2019. WordPress is one of the...