                                                   JPCERT-AT-2018-0004
                                                             JPCERT/CC
                                                            2018-01-17

                  <<< JPCERT/CC Alert 2018-01-17 >>>

Alert Regarding Vulnerability (CVE-2017-10271) in Oracle WebLogic Server

        https://www.jpcert.or.jp/english/at/2018/at180004.html


I. Overview
JPCERT/CC has observed scans which seem to be targeting a vulnerability
(CVE-2017-10271) in Oracle WebLogic Server.

https://www.jpcert.or.jp/english/at/2018/at180004_fig1.png
Figure 1: Scans to 7001/tcp in Japan (October 1, 2017 - January 16, 2018)

JPCERT/CC has received reports on attacks exploiting this vulnerability.
While any relationship with this vulnerability remains unclear, JPCERT/CC
has been observing a number of website compromises where a coin miner is
planted since October, 2017.

This vulnerability may allow arbitrary code execution with privileges of
the server application when a remote attacker sends a specially crafted
request to WLS Security, a component of the Oracle WebLogic Server. Attack
code exploiting this code is publicly available and JPCERT/CC has verified
that this code can be used for exploitation.

A version that addresses this vulnerability has been provided with the 
Critical Patch Update on October 18, 2017. Users of affected versions are
recommended to update as soon as possible by referring to the information
in "III. Solution".


II. Affected Products
The following versions of Oracle WebLogic Server are affected by this
vulnerability.

  - Oracle WebLogic Server 10.3.6.0.0
  - Oracle WebLogic Server 12.1.3.0.0
  - Oracle WebLogic Server 12.2.1.1.0
  - Oracle WebLogic Server 12.2.1.2.0


III. Solution
Oracle has provided a version that addresses this vulnerability. Please
consider updating to this version.

  - Oracle WebLogic Server 12.2.1.3.0

Oracle has provided a Critical Patch Update on January 17, 2018. This
Critical Patch Update addresses other vulnerabilities as well. Please
refer to the information provided by Oracle and consider updating to
the latest available version.


IV. References
    Oracle Corporation
    Oracle Critical Patch Update Advisory - October 2017
    http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

    Oracle Corporation
    Oracle Critical Patch Update Advisory - January 2018
    http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

    Information-technology Promotion Agency (IPA)
    Attacks exploiting vulnerability in Oracle WebLogic Server (CVE-2017-10271) (Japanese)
    https://www.ipa.go.jp/security/ciadr/vul/20180115_WebLogicServer.html


If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/