[Security Alert] WebLogic Server Vulnerability CVE-2017-10271
- Source:SANGFOR Security Center
- Date Published:2018-01-03
Recently, a great many enterprises had WebLogic servers attacked by hackers. Sangfor Security Team released a security alert that unpatched WebLogic servers contain high-threat vulnerability (CVE-2017-10271). As of now, more than one exploit kits are available on the Internet.
Definition From Encyclopedia
WebLogic Server is an application server developed by Oracle Corporation. More specifically, it is a middleware based on Java EE platform, and can be used to develop, integrate, deploy and manage large-scale distributed Web applications, web applications and database applications.
WebLogic WLS-WSAT, is the component that can be exploited the vulnerability by attackers to craft malicious data packets, in order to trigger deserialization and execute remote command. When dealing with customers’ security events caused by this vulnerability, we found that this vulnerability has been exploited by a mining program, watch-smartd.
Build a WebLogic environment and do PoC by choosing an exploit kit available on the Internet and exploiting the vulnerability to create a file named Sangfor under the directory /tmp. The result is that the file is created successfully.
Oracle Weblogic Server 10.3.5.0
Oracle Weblogic Server 10.3.6.0
Oracle Weblogic Server 220.127.116.11
Oracle Weblogic Server 18.104.22.168
Oracle Weblogic Server 22.214.171.124
1. Oracle has released patches to fix the vulnerability CVE-2017-10271. To patch affected versions, you may visit the following link to download the patches.
2. For Sangfor NGAF customers, update security database to the latest version.