Hello, welcome to the Thursday, June 20th, 2019 edition of the Sansonet Storms and Stormcast.

My name is Johannes Ulrich, and the time I'm recording from Washington, D.C.

Oracle today released a special out-of-band security bulletin regarding a new vulnerability in WebLogic.

Just like prior vulnerabilities in WebLogic, this is an XML decoder, deserilization vulnerability

again and can to lead to arbitrary code execution. It actually appears to be yet another version of this vulnerability.

We have seen quite a number of them in WebLogic already so far.

They tend to be pretty easy to exploit and this particular issue was apparently already exploited in the wild. Orgel has released patches for most

versions of Weblogic. Apparently 12.2.1.3 is still waiting for a patch, but by the time

you're listening to this, the patch may already be available.

As far as the overall risk goes, Shodon actually only sees about 2,000 to 3,000 different exposed

WebLogic servers. At this point, I would think that most serious users of WebLogic have gotten the message

that it's not a good idea to expose these systems directly to the internet.

The ones that are exposed, I would guess, are probably already exploited because we do

see a large number of exploit attempts against our honeypots.

Whether or not these exploit attempts are this latest vulnerability or one of the prior ones is difficult to tell.

The endpoints are the same. They're being attacked here and the vulnerabilities are similar enough

where it can be difficult to

distinguish the different exploit attempts. I've got an interesting log snippet

from a reader's mail server. Now this mail server isn't running XM but still

was attacked using the recent XM vulnerability.

This is the vulnerability that's also known as Return of the Wizard

that has been known for about two weeks now and has pretty much been exploited as soon as the vulnerability became known.

...