We have seen active exploitation attempts of CVE-2018-2894, an Oracle WebLogic JSP File Upload Vulnerability, by malicious actors against our customers and against our honeynet since July 19, 2018. Successful exploitation provides attackers with shell access to the web server, which is a significant compromise risk. All users of Oracle Weblogic are strongly encouraged to apply security patches for this vulnerability immediately or to take otherwise mitigating actions.
CVE-2018-2894 consists of 2 arbitrary file upload vulnerabilities, one targeting config.do and one targeting begin.do.
- GET request to retrieve application settings at /ws_utc/resources/setting/options/general
- POST request to change the application working directory to one that is accessible over HTTP. Request sent to path : /ws_utc/resources/setting/options.
- POST request to upload arbitrary file to said working directory. Request sent to path : /ws_utc/css/config/keystore/.
- This vulnerability can be exploited remote and unauthenticated
- POST request to /ws_utc/resources/ws/config/import. Path traversal vulnerability in the multipart form name which allows attackers to upload a file to anywhere in the filesystem.
- In our testing of each version, authentication was required to access and exploit this vector.
The vulnerable Web Service Test client application is enabled by default when WebLogic is deployed in developer mode, and can be enabled on production mode. We observed the first attacks (config.do variation) against our honeynet on 19th July and have observed attacks against customers consistently since. This was observed almost exactly 1 day before exploit code was released on GitHub.
Remediate by applying latest patches or upgrading to the latest version of WebLogic.
Remediate by running WebLogic in production mode with the option “Enable Web Service Test Page” disabled (Console -> domain -> advanced).
Additional Resources / References
- https://translate.google.com/translate?hl=en&sl=zh-CN&u=https://paper.tuisec.win/detail/6499dfd62168d89&prev=search (20th July)
- https://github.com/111ddea/cve-2018-2894 (20 July)
- https://github.com/LandGrey/CVE-2018-2894 (20 July)