Alert Logic® is researching active exploitation attempts of CVE-2018-2894, an Oracle WebLogic JSP File Upload Vulnerability. Exploitations against our customers and our honeynet have occurred since July 19, 2018. Successful exploitation of this vulnerability provides attackers with shell access to the web server, which is a significant risk of compromise. All users of Oracle WebLogic are strongly encouraged to immediately apply security patches for this vulnerability or to take other mitigating actions.
CVE-2018-2894 consists of two arbitrary file upload vulnerabilities, one targeting config.do, and one targeting begin.do. A remote, unauthenticated attacker can exploit the vulnerability targeting config.do; while authentication is required to access and exploit the vulnerability targeting begin.do. The vulnerable Web Service Test client application is enabled by default when WebLogic is deployed in developer mode and is optional, but disabled by default, in production mode.
We observed the first attacks (config.do variation) against our honeynet on July 19 and have observed attacks against customers consistently since. This was observed almost exactly one day before exploit code was released on GitHub.
For technical details about this exploit, refer to our Emerging Threat: Active Exploit of Oracle WebLogic JSP File Upload Vulnerability blog post.
Alert Logic Coverage
Alert Logic Threat Manager™ has signatures in place to detect exploits of CVE-2018-2894.
In addition, Alert Logic is developing vulnerability scan coverage to identify vulnerable assets through Alert Logic Cloud Defender®, Threat Manager, and Cloud Insight™. This coverage is expected to be released on July 26, 2018.
Alert Logic is also investigating additional detection coverage for Web Security Manager™ and Web Security Manager Premier. If you are affected by this vulnerability or are concerned about coverage, contact Alert Logic to deploy additional prevention and protection through Web Security Manager Premier.
Note: Updates will be posted in the Updates section of this article when additional coverage is released.
Recommendations for Mitigation
WebLogic versions 10.3.6.0, 184.108.40.206, 220.127.116.11, and 18.104.22.168 are vulnerable to CVE-2018-2894. If you are using any of these versions, it is recommended to apply the latest patches released by Oracle for WebLogic or upgrade to the latest version. Additionally, running WebLogic in production mode with the “Enable Web Service Test Page” option disabled (found in Console > Domain > Advanced) can mitigate your risk.
This section will be updated with new information about this Oracle WebLogic vulnerability and related Alert Logic coverage as it becomes available.