Oracle WebLogic Servers to be Under Attack

Attack begun shortly after the PoC-codes publication 
26 July 2018   2356

Information security specialists from Qihoo 360 Netlab reported that Oracle WebLogic servers were attacked by cybercriminals. It is known that the purpose of attacks were systems that did not have a recently released patch fixing the critical vulnerability of CVE-2018-2893.

The CVE-2018-2893 vulnerability is a flaw in the Oracle WebLogic software component that allows a hacker to subordinate a server and execute arbitrary code, and he does not need to know the password from the device to perform all actions.

On July 18, 2018, Oracle published an update that addresses a number of vulnerabilities. But after three days several PoC-codes got into the web, two of which are still on the Internet. After the spread of information about the existence of exploits, on July 21, the first attacks began.

Experts believe that there are at least two groups of hackers who may have managed to automate their actions to exploit vulnerabilities for their own purposes.

The vulnerability was found in the versions of Oracle WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Employees of the company recommend to the owners of servers for security to quickly install an update released in July 2018, which closes security holes in Java SE, VirtualBox, MySQL and other tools.

Java SE 14 to be Available

Java SE 14 is as a regular support period version for which updates will be released before the next release
18 March 2020   352

After six months of development, Oracle released the Java SE 14 (Java Platform, Standard Edition 14), which uses the OpenJDK open source project as its reference implementation. Java SE 14 maintains backward compatibility with previous releases of the Java platform; all previously written Java projects will work without changes when launched under the new version. Ready-to-install Java SE 14 builds (JDK, JRE, and Server JRE) are prepared for Linux (x86_64), Windows, and macOS. The Java 14 reference implementation developed by the OpenJDK project is fully open under the GPLv2 license with GNU ClassPath exceptions that allow dynamic linking to commercial products.

Java SE 14 is categorized as a regular support period for which updates will be released before the next release. As a branch with a long service life (LTS), you should use Java SE 11, updates for which will be released until 2026. The previous Java 8 LTS branch will be supported until December 2020. The next LTS release is scheduled for September 2021. Recall that since the release of Java 10, the project has switched to a new development process, which implies a shorter cycle of generating new releases. New functionality is now being developed in one constantly updated master branch, in which ready-made changes are included and from which branches are released every six months to stabilize new releases.

These are some of the changes and updates:

  • Added experimental support for pattern matching in the instanceof operator, which allows you to immediately determine the local variable to access the checked value.
  • Experimental support has been added for the new “record” keyword, which provides a compact form for defining classes, avoiding the explicit definition of various low-level methods, such as equals (), hashCode () and toString (), in cases where data is stored only in fields, the behavior of work with which does not change.
  • This declaration will automatically add implementations of the equals (), hashCode (), and toString () methods in addition to the constructor and methods that control the change of data (getter).
  • Standardized and enabled by default is support for a new form of switch statements that does not require a break statement, allows you to combine duplicate labels, and allows use not only in the form of an operator, but also as an expression.
  • The experimental support for text blocks has been expanded - a new form of string literals that allows you to include multiline text data in the source code without using character escaping and preserving the original text formatting in the block
  • The informative value of diagnostics in case of NullPointerException exceptions has been expanded.
  • A preliminary version of the jpackage utility has been implemented, which allows you to create packages for self-contained Java applications.
  • A new memory allocation mechanism has been added to the G1 garbage collector, taking into account the specifics of working on large systems using the NUMA architecture.
  • Added API for tracking on-the-fly JFR events (JDK Flight Recorder), for example, for organizing continuous monitoring.
  • Added the jdk.nio.mapmode module, which offers new modes (READ_ONLY_SYNC, WRITE_ONLY_SYNC) for creating mapped byte buffers (MappedByteBuffer) that reference non-volatile memory (NVM).
  • A preliminary version of the Foreign-Memory Access API has been implemented, which allows Java applications to safely and efficiently access memory areas outside the Java heap by manipulating new abstractions of MemorySegment, MemoryAddress, and MemoryLayout.
  • Ports for Solaris OS and SPARC processors (Solaris / SPARC, Solaris / x64 and Linux / SPARC) declared obsolete with intent to delete.

Get more at the Oracle website.