Workload Security
Oracle WebLogic Detection and Mitigation
We review 2020 and 2021 Oracle WebLogic vulnerabilities and how using a unified SaaS platform can help you detect and mitigate these sophisticated risks.
About Oracle WebLogic Vulnerabilities
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports several popular databases. WebLogic is extremely popular amongst Java developers; a 2020 survey of nearly 400 Java professionals named WebLogic the third most popular Java application survey.
Although popular, the server has been riddled with exploited flaws across 2020 and 2021. In fact, its last stable release dates back to August 2017 (version 12.2.1.3). Many Oracle WebLogic vulnerabilities Trend Micro observed were related to T3 deserialization. This the insufficient validation of T3 requests, allowing an attacker to obtain permissions of the target system and launch a remote code execution (RCE).
This article will review critical vulnerabilities from 2020 and 2021 that can be successfully exploited for RCE. We will also demonstrate how using a unified SaaS platform can help detect and mitigate these attacks.
Vulnerabilities overview
Before we demonstrate how to detect and mitigate Oracle WebLogic vulnerabilities, let’s review what we will be looking for. The following vulnerabilities are all critical class, which allow attacks to execute code, essentially taking full control of the target.
2020 Vulnerabilities
CVE-2020-14882
Component: Console
CVSSv3 risk score: 9.8
Supported versions affected: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
In October 2020, SANS ISC warned that this critical and easily exploitable RCE flaw in Oracle Fusion Middleware (Oracle WebLogic Server product) was being targeted by attackers. If attackers were successful in exploiting the vulnerability, they would be able to compromise the Oracle WebLogic Server over HTTP and take complete control of the host.
Vulnerabilities related to CVE-2020-14882:
CVE-2020-14750
Component: Console
CVSSv3 risk score: 9.8
Supported versions affected: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
CVE-2020-14883
Component: Console
CVSSv3 risk score: 7.2
Supported versions affected: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
2021 Vulnerability
CVE-2021-2394
Component: Core
CVSSv3 risk score: 9.8
Supported versions affected: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
In July 2021, Oracle released its quarterly Critical Patch Update Advisory, which included 342 fixes for vulnerabilities including CVE-2021-2394. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 and Internet Inter-ORB protocol (IIOP) to compromise Oracle WebLogic Server.
Detection and Remediation
Now that we’ve covered the vulnerabilities, let’s get into how we can detect and mitigate these critical flaws using a SaaS platform. Trend Micro Cloud One™ includes seven security services that help developers build securely and quickly from the moment code is committed into their repository. It’s integrated with Trend Micro Vision One™, which uses its industry-leading XDR capabilities to collect and correlate data across multiple security layers. Both products leverage automation, customizable APIs, and turnkey third-party integrations to simplify security.
By deploying Trend Micro Cloud One security services in your cloud environment of choice, you can continually scan files, images, containers, and even open source code, for malware and misconfigurations. Trend Micro Vision One ties everything together with XDR—it correlates events across Trend Micro Cloud One services so you can see everything that’s happening from a straightforward dashboard. Third-party integrations with your preferred communication channels ensures everyone is on the same page—ideal for those adopting a DevSecOps culture.
Ok, enough marketing. Let’s get into how Trend Micro Cloud One services can help you detect Oracle WebLogic Server vulnerabilities before a full-scale RCE attack is launched.
Trend Micro Cloud One:
As we mentioned, the attacker is scanning for Oracle WebLogic Server vulnerabilities so it can launch a RCE attack and compromise the entire system. Trend Micro Cloud One services offer multi-layered protection to shore up hard-to-find T3 deserialization events. Trend Micro Cloud One™ – Network Security adds a layer of protection between the vulnerable Oracle WebLogic Server while Trend Micro Cloud One™ – Workload Security ensures your valuable containers and data centers are secured. Network Security continually scans and inspects ingress and egress traffic while leveraging protocol analysis, anomaly detection, indicators of compromise (IoC) blocking, and other methods to detect malware.
You can customize Workload Security post-scan actions to quarantine the detected threat for further investigation, after which it will be released or blocked. If the block action is unsuccessful, other Workload Security features are still activated to stop the threat. While this is happening, all necessary teams are notified of the entire investigation via preferred communication channels.
The following is a list of Network Security and Workload Security filters for detecting vulnerabilities:
Workload Security:
1010590 - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1011096 - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
Network Security:
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2020-14750,
CVE-2020-14882, CVE-2020-14883)
Oracle WebLogic Server Memory Corruption Vulnerability
Trend Micro Vision One:
XDR capabilities correlate the Oracle WebLogic Server detections into the Trend Micro Vision One) Workbench, allowing security teams to see the entire chain of attack and drill-down into affected components.
Incident View:
Here is the incident view of CVE-2021-2394. This view gives you a snapshot of the vulnerability.
Workbench Alerts:
Based on Network Security:
You can click into the vulnerability to see the details of the IP address targeting the server. This simplified view helps security teams understand the origin of the attack attack.
Workload Security:
Next steps
You can simplify your security tech stack by utilizing a unified platform approach. This reduces time spent manually correlating data across various point products and enhances visibility for faster detection and remediation. See how Trend Micro Vision One powers layered detection and response for cloud builder security tools like Trend Micro Cloud One with a free, 30-day trial.
