Oracle WebLogic Server Vulnerability Under Active Exploitation

June 4, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a security vulnerability in Oracle WebLogic Server in its Known Exploited Vulnerabilities catalog. This addition is due to evidence of active exploitation of the flaw, identified as CVE-2017-3506. This vulnerability is an operating system (OS) command injection flaw that, if exploited, can provide unauthorized access to vulnerable servers, allowing the attacker to assume full control.

The vulnerability resides in Oracle WebLogic Server, a component of the Fusion Middleware suite. It permits an attacker to execute arbitrary code through a specially crafted HTTP request containing a malicious XML document. CISA has not revealed the specifics of attacks leveraging this vulnerability. However, the 8220 Gang, a cryptojacking group based in China, has been known to exploit this flaw since early last year to incorporate unpatched devices into a crypto-mining botnet.

A recent report by Trend Micro has observed the 8220 Gang weaponizing flaws in the Oracle WebLogic server, specifically CVE-2017-3506 and CVE-2023-21839, to launch a fileless cryptocurrency miner in memory using a shell or PowerShell script, depending on the targeted operating system. Security researcher Sunil Bharti noted that the gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over port 443, allowing for stealthy payload delivery. The PowerShell script and the resulting batch file involved complex encoding, using environment variables to hide malicious code within seemingly benign script components.

In light of the active exploitation of CVE-2024-1086 and CVE-2024-24919, federal agencies are advised to apply the latest fixes by June 24, 2024, to protect their networks against potential threats.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.