Patching doesn’t always resolve security issues. Attackers have found a bypass around the newly released but faulty patch for Oracle WebLogic flaw, and hackers are again able to exploit the vulnerability.
The April 2018 Critical Patch Update, which contained 254 new security fixes, included a patch for the Oracle WebLogic Server flaw (CVE-2018-2628), which affected versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server.
However, The Hacker News reported today that a Chinese security researcher, who claims to be part of the Alibaba security team, discovered a work around so that the WebLogic vulnerability can again be exploited, allowing attackers to gain complete control of a vulnerable server.
“Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily,” the researcher tweeted.
Given that the proof-of-concept exploit was previously published on Github, bypassing the patch is rather easy for skilled hackers to figure out, particularly when they are sharing information on social media.
Currently there is no evidence of servers being hacked with this vulnerability, but Oracle WebLogic Server has been known to be targeted by malicious actors. With a reported surge in activity with this disclosed vulnerability, users should block port 7001 to mitigate an attack.
In January, SANS Technology Institute reported that attackers were leveraging a web application server flaw (CVE-2017-10271) that Oracle claimed to have patched. Chinese security researcher Lian Zhang published proof-of-concept (PoC) exploits in December 2017.
When vulnerabilities are disclosed, companies often rush to release a fix before the flaw can be exploited in the wild. This newly discovered faulty patch suggests that rushing to release an update doesn’t do much to fix the problem.
The news should not prevent users from installing the April patch update because attackers continue to scan the internet for vulnerable servers. Infosecurity Magazine attempted to reach Oracle but it declined comment.