Critical vulnerability leads to full server compromiseOracle has released an out-of-band patch for a critical vulnerability in the WebLogic Node Manager utility. The company was forced to take this step after exploit code has been publicly released by a security research company without any notification in advance.
According to an official description from Oracle's site, "Node Manager is a WebLogic Server utility that enables you to start, shut down, and restart Administration Server and Managed Server instances from a remote location. Although Node Manager is optional, it is recommended if your WebLogic Server environment hosts applications with high availability requirements."
The critical flaw in WebLogic Node Manager was disclosed two weeks ago by a Russian vulnerability research company called Intevydis, which describes it as a "remote preauth command execution bug." The Oracle advisory further explains that "a knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system."
All versions of WebLogic Server from 7.0 and above are affected, but the impact on Windows-based servers is particularly severe, because successful exploitation will lead to full system compromise. On Linux and UNIX systems attackers will only gain the permissions of the user WebLogic server is being run from.
Evgeny Legerov, founder of Moscow-based Intevydis, previously warned earlier this month that his company would disclose serious vulnerabilities affecting a wide range of software products as zero-days. The researcher seems to hold a grudge against vendors, that fail to release patches in a timely manner and because of this he ceased to follow what are known across the industry as "responsible disclosure practices."
"During the time our position to responsible disclosure policy has been evolved and now we do not support it. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free. You – ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?," he writes on the company's blog.