In late October 2020, the world of cybersecurity spotted malicious activity targeted at the Oracle WebLogic servers. This activity took the form of recurring exploitation of a RCE weakness in the Oracle WebLogic server console component known as CVE-2020-14882. This CVE was rated as critical by gaining 9,8 scores on the CVSS scale.
The SANS ISC along with Rapid7 Labs were the first cybersecurity communities to track the adversary behavior compromising the Oracle WebLogic server through this critical RCE flaw. The fact that this vulnerability was actively exploited shortly after a patch release by Oracle added to the growing tension. Running compromising HTTP requests enables threat actors to gain full control over the host. An unauthenticated remote cyber criminal can exploit this sore point in the Oracle WebLogic server using a single GET HTTP request.
Here’s an open-source Proof of Concept for CVE-2020-14882 released at GitHub.
CVE-2020-14882 Proactive Exploit Detection and Mitigation Techniques
To respond to exploitation attempts, Oracle shortly released patches for CVE-2020-14882. The following server versions proved to be mostly prone to this critical vulnerability:
Organizations leveraging the Oracle WebLogic server are highly recommended to apply the released patches to enhance their defense capabilities against attackers’ attempts to exploit CVE-2020-14882. Those companies which are unable to patch in the short term, can resort to a set of mitigation techniques. The following techniques cannot replace patching, but they can mitigate the threat, more specifically:
- Blocking access to the admin portal
- Constant monitoring of network traffic for HTTP requests compromising the server
- Checking for suspicious activities run by the application, such as cmd.exe or /bin/sh
According to the Spyce search engine, over 3,000 Oracle WebLogic servers are still vulnerable to CVE-2020-14882 even after the patch release. This encourages CISOs and their team members to obtain relevant SOC content compatible with the organization’s security tools to proactively defend against CVE-2020-14882 exploits.
SOC Content Tagged with CVE-2020-14882
SOC Prime Threat Detection Marketplace offers 81,000+ SOC content items tailored to the company-specific threat profile tagged with particular CVE, TTPs used by APT groups, and multiple MITRE ATT&CK® parameters. SOC Prime Team of content developers and Threat Bounty content contributors are constantly enriching the global SOC content library with cross-platform detection and response algorithms, parsers, configs, YARA rules, machine learning models, and dashboards. The newly released rule crafted by Emir Erdogan enables proactive exploit detection of CVE-2020-14882. You can download this SOC content right from Threat Detection Marketplace:
- Log in to the platform.
- Enter “CVE-2020-14882” in the Search field, and the Content page will update displaying search results matching your criteria.
- Click the content item with the detection content you need.
- Select the platform to convert the rule to the format applicable to your security solution.
- Manually deploy content to your SIEM, EDR, or NTDR instance with a single click.
Currently, this SOC content addressing CVE-2020-14882 is available for the majority of SIEM and EDR solutions, including the open signature Sigma format, Elastic Stack, and cloud-based security tools like Azure Sentinel, Sumo Logic, and Chronicle Security.
Translations for Corelight, CrowdStrike, Microsoft Defender ATP, and Sysmon are coming soon.
Looking for the latest SOC content compatible with your security tools? Sign up for Threat Detection Marketplace — it’s totally free! If you enjoy coding and want to craft your own curated content, join our Threat Bounty Program and help us enrich the Threat Detection Marketplace content library.