Sign in / up

back to article 7-year-old Oracle WebLogic bug under active exploitation

A seven-year-old Oracle vulnerability is the latest to be added to CISA's Known Exploited Vulnerability (KEV) catalog, meaning the security agency considers it a significant threat to federal government. CVE-2017-3506 affects Oracle's WebLogic Server, allowing for remote command execution on affected operating systems. …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Boffin

    How to GetShell on CVE-2017-3506(Weblogic XMLDecoder Serialization)

    This is a poc of CVE-2017-3506(Weblogic XMLDecoder Serialization)

    Attackers can achieve remote code execution via specially crafted HTTP requests.

    a. It's been well known for ages that Java Serialization doesn't come with any security mechanisms.

    b. Never use web protocols on your security device /s

    c. I figure this is the quality of code you get when hiring on Indian programmers at $25 an hour /s

    d. Oracle fiscal year 2024 net profits: $3.76 billion.

    3 0 Reply
    1. F. Frederick Skitty Silver badge
      Reply Icon

      Re: How to GetShell on CVE-2017-3506(Weblogic XMLDecoder Serialization)

      Oracle's Java products were mostly being worked on by their St Petersburg office based on my experience of submitting bug reports about them. That's the St Petersburg in Leningrad Oblast, Russia rather than one in Florida, USA. I suspect the need to move development elsewhere has slowed down Oracle's already glacial bug fixing...

      2 0 Reply
    2. CowHorseFrog Silver badge
      Reply Icon

      Re: How to GetShell on CVE-2017-3506(Weblogic XMLDecoder Serialization)

      As opposed to the value of multi million American managers who cant even code at all ?

      1 1 Reply
  2. sitta_europea Silver badge

    "The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs..."

    Ah, that's what "sophisticated" means. I'd been wondering, since so many of them seem to be described in that way.

    Blimey. Hexadecimal encoding. Never would have thought of that.

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Facepalm

      Sophisticated obfuscation techniques :o

      > hexadecimal encoding .. PowerShell .. batch scripts .. environment variables .. layered obfuscation .. malicious code .. benign scripts ..

      This is so last century. Real malware writers hide the payload in virtual machine code. The virtual machine being an emulator for an architecture that doesn't exist.

      -------

      sitta_europea:

      > "The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs..."

      > Ah, that's what "sophisticated" means. I'd been wondering, since so many of them seem to be described in that way.

      > Blimey. Hexadecimal encoding. Never would have thought of that.

      0 0 Reply
  3. CowHorseFrog Silver badge

    You would have thought that with all those billions in profits weblogic would have ripped out all java.io.Serializables...

    1 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like