GoKawiilThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched two years ago and is now actively exploited in attacks.
Oracle WebLogic Server is an enterprise-grade Java app server used as middleware for large, multi-tier distributed applications.
Tracked as CVE-2024-21182, this security flaw can be exploited remotely by threat actors with no privileges in low-complexity attacks targeting systems running Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.
"Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server," Oracle said when it released security patches for CVE-2024-21182 in July 2024.
"Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data."
Internet intelligence platform Shodan now tracks over 1,592 Oracle WebLogic servers exposed online and vulnerable to CVE-2024-21182 exploits (961 running version 12.2.1.4.0 and 631 running version 14.1.1.0.0).
Oracle WebLogic Server instances exposed online (Shodan)
On Thursday, CISA added the vulnerability to its catalog of security flaws exploited in attacks and ordered federal agencies to patch their WebLogic servers by midnight on Thursday, June 4, as mandated by Binding Operational Directive (BOD) 22-01.
While BOD 22-01 applies only to federal agencies, CISA urged all network defenders, including those in the private sector, to patch their systems against ongoing CVE-2024-21182 attacks as soon as possible.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
... continue reading