STE WILLIAMS

Earlier this month, Oracle patched a critical vulnerability in its WebLogic server – but someone identifying himself as an Alibaba security researcher reckons Big Red botched the patch.

The bug in question was fixed in Oracle’s x 254-strong quarterly patchfest that was headlined by Java and Spectre fixes.

Tucked way down on the patch list was CVE-2018-2628, an https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2628 “easily exploitable” complete remote takeover of the WebLogic server.

Over the weekend, @pyn3rd (whose Twitter bio says simply “Security researcher at @alibaba_cloud), Tweeted that the “critical patch update of 2018.4 can be bypassed easily”, along with a proof-of-concept (PoC) GIF.

#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj

— pyn3rd (@pyn3rd) April 28, 2018

How could this be? From @pyn3rd again:

there is the difference, just use java.rmi.activation.Activator replace java.rmi.registry.Registry pic.twitter.com/xeH0Ck86G3

— pyn3rd (@pyn3rd) April 29, 2018

Kevin Beaumont, @GossiTheDog, elucidated further, writing that “It looks like Oracle isn’t even fixing the issues here, they’re just blacklisting commands. In this case they missed the very next command.”

The Register has asked Oracle whether it plans to address the issue. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/30/umm_oracle_about_that_patch_there_could_be_bad_news/