edit-icon download-icon

[Vulnerability notice] CVE-2017-12071: Remote command execution vulnerability in WebLogic Server component

Last Updated: Apr 02, 2018

On December 18, 2017, Alibaba Cloud Security detected a security event that the WebLogic intruded into the cloud servers for mining. The record is as follows:

1

After emergent analysis, Alibaba Cloud Security team confirmed that hackers exploited the WebLogic deserialization vulnerability (CVE-2017-3248) and WLS component vulnerability (CVE-2017-10271) to intrude into the services relying on the WLS component and implant the mining Trojan.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-12071

Vulnerability name

WebLogic Server component remote command execution vulnerability

Vulnerability rating

High

Vulnerability description

Attackers can exploit an existing vulnerability and implant the Bitcoin mining Trojan. They send HTTP requests to gain control on the target server. Hackers can also start other targeted attacks.

The WLS component is rarely used, so the risk of being infected throughout the cloud is low.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

The PoC has been published.

Affected scope

  • Oracle WebLogic Server 10.3.6.0.0
  • Oracle WebLogic Server 10.3.3.0.0
  • Oracle WebLogic Server 12.1.3.0.0
  • Oracle WebLogic Server 12.2.1.1.0
  • Oracle WebLogic Server 12.2.1.2.0

Vulnerability detection

To check whether your server is intruded into:

  1. Scan http://ip_address:7001/wls-wsat, where “ip_address” and “7001” must be replaced with your IP address and port number.

  2. Check whether the following files are found in the WebLogic installation path (assuming that WebLogic is installed in the default directory):

    1. /home/WebLogic/Oracle/Middleware/wlserver_10.3/server/lib/wls-wsat.war
    2. home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war
    3. /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat
  3. Check whether the host log contains cmd.exe and /bin/bash.

If you find the aforementioned files in the WebLogic installation path and cmd.exe and /bin/bash in the host log, then the server may have been intruded into.

How to fix or mitigate

  1. Delete the WAR package. Delete the WAR package and directory of the WebLogic program under the actual installation path according to service requirements. The sample code is as follows:

    1. rm -f/home/WebLogic/Oracle/Middleware/wlserver_10.3/server/lib/wls-wsat.war
    2. rm -f/home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war
    3. rm -rf/home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat
  2. Configure the network access control. Configure the access control policy for http://ip_address:7001/wls-wsat. Prohibit direct access from the Internet.

  3. Install the latest patch. Install the latest patches released on the Oracle official website http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html.

Thank you! We've received your feedback.