Hello, welcome to the Tuesday, May 1st, 2018 edition of the Sansonet Stormtonus Stormcast. My name is

Johannes Ulrich and I am recording from Jacksonville, Florida. If you're listening to this and if you're

running WebLogic, you probably know something bad is going to come. In April, Oracle released a critical patch update for its products.

With that it also patched yet another deserilization and remote code execution vulnerability in

web logic. Now there are two things that really make this particular flaw probably worse than the ones we had before.

First of all, there is an exploit out, so yes, if you haven't patched, you probably have already

been attacked. And secondly, while there is an exploit out, the patch actually doesn't

fix all the ways how this particular vulnerability could be exploited.

Oracle opted to just blacklist one very specific feature.

However, it did not patch the underlying vulnerability.

Now, ever since this proof of concept was released about a week ago,

we have seen very intense scans for Port 7,001 trying to exploit it, using sort of your

usual payloads. Haven't seen anything specifically yet that tries to bypass the patch, but

that's probably only a couple days

away if it hasn't been released already.

This modified exploit shouldn't really be all that difficult to pull off, so I highly

recommend that you do block port 7,001 to your Weblogic servers. That's the default port weblogic is listening on and that's what you do block port 7,001 to your Weblogic servers. That's the default port web logic is

listening on and that's what we usually see being scanned here. If you do need Port 7,001

exposed to the outside world for whatever critical business reason, then watch your Weblogic

servers very, very carefully.

Not really sure what else I could recommend there.

Maybe something like a web application firewall may buy you additional time until Oracle

...