For this week’s security assessment, I decided to choose the article entitled “Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch” by bleepingcomputer.com. The article explains that shortly after Oracle released a quarterly patch entitled “Critical Patch Update” (Cimpanu, 2018), hackers began scanning the web for any WebLogic servers that could be outward facing to the Internet. The patch that Oracle was trying to deploy scored a “9.8 out of 10” (Cimpanu, 2018) in severity and the problem it was fixing allowed “attacks to execute code on remote WebLogic servers without needing to authenticate” (Cimpanu, 2018). As you might have guessed, this problem that Oracle was trying to fix was a major one and needed to have an immediate response. While the response from Oracle in attempting to fix this major problem is admirable, the solution the company settled on was not complete, meaning that instead of securing the problem, they potentially made it worse.
The way that Oracle went about fixing the problem was to “blacklist the commands” (Cimpanu, 2018) that hackers were utilizing to execute the remote commands and take over the WebLogic server, instead of fixing the underlying problem that was allowing them to even do this. This meant the problem was still actually out there, and that hackers just needed to find another way to access it again, and it didn’t take very long. While Oracle blacklisted a lot of the commands that hackers were utilizing to gain access to the server, they forgot several commands, leaving the door wide open. This response from Oracle feels like the patch process was rushed out to make sure the vulnerability was quickly closed, and not enough testing was put into place to verify that the fix actually did what it was supposed to, and that the fix was complete. Instead, we are left with still vulnerable systems even after the patch.
The reason I decided to write on this story this week is for a few different reasons. The first of these is that in the past, I have worked on several WebLogic servers for projects. Most of these servers were giant hulking monstrosities that no one wished to touch as no one quite understood how it exactly worked. Worse yet, these machines rarely received patches and would stay at the same update version from the time it was installed. We need to be diligent on making sure that patches are frequent to make sure that when major issues like this one are located and fixed, that our software is updated alongside it.
However, with all of that, I think this article really illustrates that companies whose job it is to keep software up to date need to make sure that their fixes are properly vetted and don’t simply ‘paint over’ the issue. Fixes for problems should be fixing the core issue, if it is possible, and the fixes should be checked thoroughly to make sure the vulnerability is completely gone. While the quick fix might have been just disabling the commands, as we have seen, if you miss a command, hackers gain access back to the server again.
Sources Cited:
Cimpanu, C. (2018, April 30). Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch. Retrieved May 2, 2018, from https://www.bleepingcomputer.com/news/security/hackers-scan-the-web-for-vulnerable-weblogic-servers-after-oracle-botches-patch/
No comments:
Post a Comment