Oracle WebLogic Server

2026: Bug in Oracle Weblogic allows attackers to easily take over the infrastructure built on it

In the twentieth of January, FSTEC sent a warning about the discovery of a critical vulnerability BDU:2026-00664^[1] in the Oracle HTTP Server, which is part of the Weblogic solution supplied by Oracle. The vulnerability has a criticality level of 10 according to CVSS version 3.1. It was fixed by the developer - updates for this component were included in the January Oracle Critical Patch Update. FSTEC experts recommend promptly updating vulnerable solutions.

𝓲

Фото: BIT.Asistent

Oracle HTTP Server is a dedicated web server based on Apache code, but includes additional modules designed specifically for integration with Oracle products. It is part of Oracle Fusion Middleware enterprise application development platform.

Oracle HTTP Server is focused mainly on the corporate sector, where Oracle solutions are used to build scalable and reliable web applications and services, "explained Alexey Kosenkov, leading information security expert at First Bit, to TAdviser. - In Russia, this product occupies a niche position: it is used by large companies, state organizations and the financial sector, where highly reliable integrated platforms are needed to process and route HTTP requests.

According to Ekaterina Edemskaya, an analyst engineer at Gazinformservice, Oracle WebLogic Server Proxy is one of the key infrastructure components of large companies and has significant distribution in Russia, especially in large businesses. The high prevalence is due to historical factors, long-term contracts and the complexity of migrating from legacy systems, where WebLogic components have not been updated for more than two years due to sanctions restrictions.

The discovered vulnerability is related to the Weblogic Server Proxy Plug-in module and is associated with shortcomings in the authentication procedure (CWE-287). Exploitation of the vulnerability can allow an attacker acting remotely to gain unauthorized access to the system by sending specially crafted HTTP requests. The error is present in product versions 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0.

The discovered vulnerability allows you to bypass authentication and authorization checks in Oracle HTTP Server and WebLogic Server Proxy Plug-in components, which are used to interact with other elements of the Oracle ecosystem. These components, according to Alexander Kolesov, head of development and research at Bastion, are often available from untrusted public networks and are located in the demilitarized zone, which significantly increases the chances of exploiting this vulnerability in mass attacks.

This is a vulnerability of the maximum level of criticality, it is exploited without authorization and the exploitation itself is relatively easy to execute, - shared his data with TAdviser Sergei Belyaev, threat analyst at the Solar 4RAYS Cyber ​ ​ Threat Research Center. - There are already exploits on the network and, most likely, it will be used in cyber attacks, since the process of installing security updates usually does not happen quickly, and attackers will try to use it.

According to Sergei Gilev, director of the Angara Security Cyber ​ ​ Threat Research Center, at the time of publication of the news, concepts of codes exploiting this vulnerability (Proof-of-Concept) have already appeared in the public domain. The expert notes that their simple modification will soon allow you to get a full-fledged exploit for this vulnerability, and the result of successful exploitation may be the execution of commands on the application server, followed by the seizure of the entire infrastructure.

The basic measure of protection against these vulnerabilities, according to Kirill Lyovkin, MD Audit project manager, is the prompt application of updates and fixes affecting product security, but only after risk assessment and testing. Before installing updates, it is critical to minimize the surface of the attack: close direct access to WebLogic from the Internet and leave it available only through secure communication channels or in trusted segments.

In the current conditions, the key is not only the installation of patches, but also the construction of compensatory measures, - Mikhail Timaev, head of the IT Task technical presale department, assured TAdviser readers. - Practice shows that for such products it is critical to limit the external availability of services, use IDS/IPS to identify operational attempts and control access by whitelisting.

Updates received from trusted sources, according to the expert, of course require a preliminary risk assessment, but postponing them without introducing additional protection measures significantly increases the likelihood of compromise.

Additional protection against vulnerabilities of this kind can be provided by WAF solutions or corresponding modules as part of NGFW, - Dmitry Khomutov, director of Ideco, expanded the recommendations of previous experts. - At the same time, it is important to make sure that the security tools contain up-to-date signatures to counter the new vulnerability and that their effectiveness is confirmed in practice.

2024

A dangerous vulnerability has been discovered in Oracle WebLogic. FSTEC recommends that users urgently take action

On August 19, FSTEC sent a warning about the discovery of a dangerous vulnerability BDU:2024-06272^[2] in the Oracle WebLogic Server application server, which allows outsiders to perform malicious actions in the server kernel by manipulating the T3 and IIOP interaction protocols. According to CVSS 3, the vulnerability has a level of 9.8 out of 10, which indicates its ease of use and the danger of remote code execution. The manufacturer has confirmed the possibility of exploiting the vulnerability without authentication in versions 12.2.1.4.0 and 14.1.1.0.0. Moreover, there is a public^[3].

As stated in the FSTEC warning, the error is associated with insufficient validation of input data - the server simply does not check whether the authentication procedure has passed at the transport level. As a result, the Core component of the Oracle Fusion Middleware application server gives outsiders the opportunity to access it directly using the T3 and IIOP protocols, which are responsible for interaction between the server and the client, modify system resources, steal confidential data or execute unauthorized code.

The new vulnerability of the Core component of the Oracle WebLogic Server application server is a really significant threat and cannot be neglected, "Artem Chernov, leading systems engineer at K2 Cybersecurity, confirmed to TAdviser the danger of a discovered error. - It allows access due to insufficient validation of input data. T3 and IIOP protocols are used to exploit the vulnerability. Of course, Oracle WebLogic is not the most popular platform, however, the products of this family are used by tens of thousands of companies around the world, including our developers.

To protect the application server, Artem Chernov recommends considering installing the current Critical Patch Update, in which this vulnerability is closed. If you still cannot get the update, then as compensatory measures you can configure additional mechanisms for filtering and verifying the input data for the T3 protocol, for example, JEP290, since most WAFs, for example, will not be able to help due to the proprietary protocol used. The FSTEC itself recommends even more radical measures:

• Use firewall to restrict remote access to the server.
• Restrict T3 access to trusted sources only, or disable the protocol if not in use
• disable the transmission of IIOP protocol over the network, provided that it is not used for applications.

It should be noted that application servers are key elements that hackers attack, since they simultaneously have the ability to execute various high-level scenarios, and on the other hand, they contain, as a rule, quite valuable data. Interfering with the interaction of the transaction broker, for which the T3 and IIOP protocols are intended, is especially dangerous, since it gives attackers direct access to the data accumulated in the application. The most dangerous hacker attacks of recent times were precisely related to attacks on such components of web applications.

US authorities: Hackers have been using Oracle's leaky software for illegal mining of cryptocurrencies for many years

In late May 2024, the Infrastructure and cyber security Protection Agency (CISA) USA reported that Chinese hackers had been exploiting vulnerabilities in software Oracle for illegal mining for years. cryptocurrencies Moreover, attackers are constantly improving their methods, which makes them difficult to detect and protect against intrusions.

Criminal mining is said to be carried out by the 8220 Gang (also known as the 8220 Mining Group and Water Sigbin). Hackers, in particular, exploit the CVE-2017-3506 vulnerability (CVSS hazard rating: 7.4), which affects the Oracle WebLogic Server platform. Using specially created HTTP requests, attackers can gain unauthorized access to the system and execute arbitrary program code on it.

Trend Micro notes that the 8220 Gang group uses code obfuscation methods and complex tactics to secretly deliver malicious payloads to attacked systems. Coupled with the exploitation of other holes, cryptocurrency miners are being introduced to computers running Windows and Linux.

Grouping uses obfuscation techniques such as hexadecimal URL encoding and HTTP protocol over port 443, which allows for stealthy payload delivery. We found exploitation attempts on both Linux and Windows computers, "says Trend Micro specialist Sunil Bharti.

It is known that the Water Sigbin group has been operating since at least 2017. She specializes in deploying malware primarily in cloud environments and on Linux servers. The constant development of tools, tactics and procedures allows cybercriminals to hide their activities and avoid detection.^[4]

2020: Discovery of a vulnerability that allows you to connect to the server using a service URL available from the Internet

On August 7, 2020, Positive Technologies announced that its expert Arseniy Sharoglazov had discovered a vulnerability in Oracle WebLogic Server application servers. Using a service URL available from the Internet, attackers can connect to the system, find a login and password for access and perform remote file reading. The Oracle WebLogic family of products is used by tens of thousands of companies around the world.

The vulnerability CVE-2020-14622 assigned an average hazard level on the CVSS scale (Base score: 4.9).

The problem is aggravated by the fact that many system administrators are unaware of the existence of this URL and the combination of a standard login and password to access it. Usually, the WebLogic administrative panel is located on a separate port and is not available from the Internet, and the system configuration is installed using special scripts that contain default data for accessing the service URL.

With this security flaw, attackers can access Oracle WebLogic Server and read any files on the server. Depending on the organization that owns the server, it may contain personal user data, configuration files of important systems, application source codes, in which vulnerabilities can also be found.

To conduct an attacks attacker, it is enough to have an average qualification. The vulnerability can be discovered using automated scanning systems, and to exploit it, an attacker will have to write simple code in the language. Java

In the course of security analysis projects, we have encountered this vulnerability in banking systems certified under, "says Arseniy PSI DSSSharoglazov, researcher at Positive Technologies. - These are complex systems: DMZ is being built, where several servers are installed, including several WebLogic, SQL databases, all this is isolated and audited, proxying nginx and WAF are installed, but administrators do not know about the ability to access the infrastructure using a service URL, and this undermines protection.

To reduce the risks associated with exploiting the CVE-2020-14622 vulnerability, Positive Technologies experts recommend installing a security update released by Oracle, as well as changing the standard password for accessing the service URL. In addition, companies using Oracle WebLogic Server products in their infrastructure can reduce the risks of exploiting the CVE-2020-14622 vulnerability by regularly testing penetration and using specialized security tools.

2013: Oracle WebLogic Server 12.1.2

Oracle announced the release of a new version of Oracle WebLogic Server 12.1.2 on August 5, 2013.

Oracle WebLogic Server is optimized to run on Oracle Exalogic Elastic Cloud, part of the Oracle Engineered Systems family of optimized firmware

New in functionality

• The new version of Oracle WebLogic Server 12.1.2 uses dynamic clustering for greater "cloud flexibility" and efficient resource management, simplifying Java Messaging Service (JMS) administration.
• Full certified support and integration with Oracle Database 12c, including support for access to consolidated databases in a multi-lease architecture, as well as application continuity and high data availability.
• Support for Apache Maven for version and lifecycle control has been expanded, support for HTML5, Java and WebSockets for the development of mobile and cross-platform applications has been implemented.
• The server provides declarative, JSON or XML-based access to enterprise data sources through the REST (Representational State Transfer) distributed application interface using Oracle TopLink services.

2011: Oracle WebLogic Server 12c

Oracle announced in December 2011 the release of Oracle WebLogic Server 12c, a new version of the application server for traditional systems, optimized firmware and cloud computing environments. As a key part of the Oracle Cloud Application Foundation platform and the core of the Oracle Fusion Middleware family, Oracle WebLogic Server continues to provide innovative new capabilities for building, deploying, and executing Java EE (Java Platform, Enterprise Edition) applications.

The new version of Oracle WebLogic Server 12c offers important enhancements and enhancements to help customers and partners reduce total cost of ownership (TCO) and gain more value from their existing application infrastructure while accelerating the development cycle and reducing time to market for new applications.

Oracle WebLogic Server 12c is certified for the full Java EE 6 platform specification, providing increased developer productivity with modern, standards-based APIs including Servlet 3.0, JAX-RS 1.1, Java Server Faces 2.1, EJB 3.1, Context and Dependency Injection for Java, and many others. In addition, developers on the Oracle WebLogic Server platform can now use the Java Platform Standard Edition (Java SE) 7 features to create better and easier-to-maintain code.

Oracle WebLogic Server 12c provides full support for dependency management and a unified build process through an updated plug-in for Apache Maven. At the same time, the new version of the application server directly integrates with Oracle Traffic Director (OTD), a new component of the Oracle Fusion Middleware family, which adds the ability to route traffic of applications with high performance and availability, dynamically configurable caching and load balancing, and also supports proxies for HTTP applications. In addition, Oracle Virtual Assembly Builder technology, using graphical tools and open web service APIs based on the PaaS delivery model (platform as a service), provides simplified configuration and layout of tiered enterprise applications in environments virtualized with Oracle VM.

"With the release of the new version of Oracle WebLogic Server 12c, clients can use the application server to gain more value from their existing infrastructure, to simplify deployment and application management, and to accelerate the launch of new applications to market through improved developer productivity," said Cameron Purdy, Oracle vice president of development. "In addition, with Oracle WebLogic Server 12c, customers will be able to better master cloud computing and use their infrastructure to build private and public cloud architectures and then easily switch between internal and external infrastructure as needs change."

According to the developers, customers can use Oracle WebLogic Server 12c to solve the most important and business-critical tasks due to the high security and readiness of this platform. Improved integration between Oracle WebLogic Server and Oracle Real Application Clusters (RAC) automatically detects and corrects database node (partition) failures to support high performance and easier management.

In turn, the new disaster recovery features allow clients to store data in a file or database, including the option to save the transaction log to the database. This makes it possible to use database-integrated consistent replication technologies in conjunction with Oracle GoldenGate and Oracle Active Data Guard for all dynamic application data, including online activity logs, Java Message Services (JMS) logs, and transaction logs, Oracle explained.

Other features of Oracle WebLogic Server 12c also include support for the Transport Layer Security (TLS) 1.2 cryptographic protocol (a successor to the Secure Sockets Layer/SSL protocol), which improves application security.

Oracle WebLogic Server is optimized for use as a high-performance and elastic cloud infrastructure to support the execution of critical enterprise applications on Oracle Exalogic Elastic Cloud, a cloud computing appliance. Oracle Application Server is also a key component of Oracle Java Cloud Service, an enterprise platform for developing, deploying, and managing critical Java EE business applications.

2010: Oracle WebLogic Server Membership

Developed by OracleOracle, WebLogic Server is based on the Java EE family of products and as of December 2010 includes:

• Java EE Application Server, WebLogic Application Server
• Enterprise Portal, WebLogic Portal
• enterprise application integration platform
• Transaction and Infrastructure Server, WebLogic Tuxedo
• Telecommunications Platform, WebLogic Communication Platform
• HTTP Web Server

Notes