Attackers target Oracle WebLogic Server

A vulnerability in Oracle's WebLogic Server is currently being exploited. The security flaw has been known since mid-2024, with updates available since the Critical Patch Update from July 2024.

The US cybersecurity authority CISA is currently warning about this. The vulnerability has thus entered the "Known Exploited Vulnerabilities" catalog, and US authorities have until June 4th to contain the vulnerability.

Attacked Security Vulnerability in Oracle Middleware

The vulnerability is located in Oracle Fusion Middleware; specifically, the vulnerability advisory names the component "Core". Unauthenticated attackers from the network can access and compromise vulnerable Oracle WebLogic servers using the proprietary T3 and IIOP protocols. The manufacturer does not provide further details. Successful attacks lead to unauthorized access to critical data or complete access to all available data on the WebLogic server (CVE-2024-21182, CVSS 7.5, Risk "high").

Software versions Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 are vulnerable, possibly also other, no longer supported versions. Due to ongoing attacks, IT managers should ensure that Oracle WebLogic Server in their topology is running on a current, protected status.

As usual, CISA does not explain how the attacks are carried out or to what extent they are occurring. Therefore, there are no helpful indicators of (successful) attacks that administrators could search for (Indicators of Compromise, IOC).

Currently, reports of attacked security vulnerabilities are increasing. IT managers should therefore ensure that the software used in their networks is kept up-to-date at all times. For example, it became known on Monday this week that a security vulnerability in Palo Alto Networks' network operating system PAN-OS is already being exploited. It allows attackers to bypass security measures – just around two weeks after the manufacturer reported the security leak and provided a patch.

(dmk)