Back in August 2020, we alerted that many global500 or fortune500 companies could be easily compromised by exploitation of known trivial vulnerabilities.
Now, we added a new check to our vulnscan category of information about an unauthenticated remote code execution on Oracle Weblogic servers. This vulnerability is named CVE-2020-14882. Here follows our test results.
Searching for potentially vulnerable systems
The first thing we have to do before checking for vulnerable systems is to find potentially vulnerable systems. Fortunately, there is a specific filter to use to query ONYPHE in order to fetch this list:
We found more than 14,000 exposed devices. But being exposed does not mean being exploitable. As we have developed our own non-intrusive check, we are able to verify in an innocuous way if they are vulnerable or not. Our checker just fetches Operating System and its version. Thus, we also have details about which kind of systems are used to host Weblogic servers.
As we don’t want to help cybercriminals and as there is already enough proof-of-concept codes available out there, we are not going to release our checker.
2. Count of vulnerable systems
By using a simple filter on our vulnscan category of information, we are able to know how many unique IP addresses are vulnerable, or how many unique domains and the count of unique fortune500/global500 companies. The filter is simply “cve:CVE-2020-14882“:
Beware, 2,000 is a misleading number as it does not return unique IP addresses result. Here are some screenshots from our back-end that allows to access the good numbers:
3. Operating System used to host Oracle Weblogic servers
As we fetch Operating System (OS) and their version information and set a specific field in our data, we are able to perform statistics based on these values:
Linux is the most used OS with 76.2% followed by Windows Server 2012 R2 with 11.1% and Windows Server 2016 with 8.4%. Interestingly, we also find SunOS and AIX OSes, even though they are not wildly used at all.
More than 1,100 unique IP addresses are impacted, accounting for 231 unique domains and at least 5 unique big companies.
This check will be executed every week from now on, so we will have updated information available for our Eagle View customers.
Patches are available, so apply them as quickly as possible as this vulnerability may end up in the next NSA’s TOP25 most exploited vulnerabilities by cybercriminals.