JPCERT-AT-2018-0004
JPCERT/CC
2018-01-17
Figure 1: Scans to 7001/tcp in Japan (October 1, 2017 - January 16, 2018)
JPCERT/CC has received reports on attacks exploiting this vulnerability.While any relationship with this vulnerability remains unclear, JPCERT/CC has been observing a number of website compromises where a coin miner is planted since October, 2017.
This vulnerability may allow arbitrary code execution with privileges of the server application when a remote attacker sends a specially crafted request to WLS Security, a component of the Oracle WebLogic Server. Attack code exploiting this code is publicly available and JPCERT/CC has verified that this code can be used for exploitation.
A version that addresses this vulnerability has been provided with the
Critical Patch Update on October 18, 2017. Users of affected versions are recommended to update as soon as possible by referring to the information in "III. Solution".
- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 12.2.1.1.0
- Oracle WebLogic Server 12.2.1.2.0
- Oracle WebLogic Server 12.2.1.3.0
Oracle has provided a Critical Patch Update on January 17, 2018. This Critical Patch Update addresses other vulnerabilities as well. Please refer to the information provided by Oracle and consider updating to the latest available version.
Oracle Corporation
Oracle Critical Patch Update Advisory - October 2017
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Corporation
Oracle Critical Patch Update Advisory - January 2018
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Information-technology Promotion Agency (IPA)
Attacks exploiting vulnerability in Oracle WebLogic Server (CVE-2017-10271) (Japanese)
https://www.ipa.go.jp/security/ciadr/vul/20180115_WebLogicServer.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
JPCERT/CC
2018-01-17
I. Overview
JPCERT/CC has observed scans which seem to be targeting a vulnerability(CVE-2017-10271) in Oracle WebLogic Server.Figure 1: Scans to 7001/tcp in Japan (October 1, 2017 - January 16, 2018)
JPCERT/CC has received reports on attacks exploiting this vulnerability.While any relationship with this vulnerability remains unclear, JPCERT/CC has been observing a number of website compromises where a coin miner is planted since October, 2017.
This vulnerability may allow arbitrary code execution with privileges of the server application when a remote attacker sends a specially crafted request to WLS Security, a component of the Oracle WebLogic Server. Attack code exploiting this code is publicly available and JPCERT/CC has verified that this code can be used for exploitation.
A version that addresses this vulnerability has been provided with the
Critical Patch Update on October 18, 2017. Users of affected versions are recommended to update as soon as possible by referring to the information in "III. Solution".
II. Affected Products
The following versions of Oracle WebLogic Server are affected by this vulnerability.- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 12.2.1.1.0
- Oracle WebLogic Server 12.2.1.2.0
III. Solution
Oracle has provided a version that addresses this vulnerability. Please consider updating to this version.- Oracle WebLogic Server 12.2.1.3.0
Oracle has provided a Critical Patch Update on January 17, 2018. This Critical Patch Update addresses other vulnerabilities as well. Please refer to the information provided by Oracle and consider updating to the latest available version.
IV. References
Oracle Corporation
Oracle Critical Patch Update Advisory - October 2017
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Corporation
Oracle Critical Patch Update Advisory - January 2018
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Information-technology Promotion Agency (IPA)
Attacks exploiting vulnerability in Oracle WebLogic Server (CVE-2017-10271) (Japanese)
https://www.ipa.go.jp/security/ciadr/vul/20180115_WebLogicServer.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/