How to Detect and Mitigate Oracle WebLogic CVE‑2018‑2628 Remote Code Execution

Oracle released its April Critical Patch Update (CPU) that addresses a high‑severity remote code execution vulnerability (CVE‑2018‑2628) in WebLogic. The flaw allows unauthenticated attackers to execute arbitrary code.

CVE‑2018‑2628 Vulnerability Impact Scope

Affected Versions

WebLogic 10.3.6.0

WebLogic 12.1.3.0

WebLogic 12.2.1.2

WebLogic 12.2.1.3

All listed versions are officially supported.

Affected Regions

According to NSFOCUS Threat Intelligence Center (NTI), there are 19,229 Internet‑exposed WebLogic assets worldwide, with 1,787 located in China.

The vulnerability resides in the WebLogic T3 service; when the default console port (7001) is open, T3 is enabled, increasing exposure. It may be exploited for mining, so affected users should deploy protections promptly.

Vulnerability Impact Investigation

Internet Asset Impact Check

NSFOCUS provides a service to query Internet‑exposed assets. Enterprises can search their assets on the NTI platform to determine exposure.

Detection Tool Check

Enterprises can request on‑site detection from NSFOCUS support staff.

NSFOCUS Cloud

NSFOCUS Cloud offers a free online detection tool:

https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?page_id=12

Vulnerability Protection

Official Patch

Oracle has fixed the vulnerability in the latest CPU. Affected users should download and apply the patch from the Oracle Support portal (requires a valid license).

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Security Product Protection

NSFOCUS Network Intrusion Prevention System (NIPS)

NSFOCUS provides protection rules for this vulnerability. Users with NIPS can upgrade the rule set:

Download the latest NIPS upgrade package (example version 5.6.10) from the official site: http://update.nsfocus.com/update/downloads/id/21006

2. In the system upgrade interface, select offline upgrade, choose the rule package file, and upload.

3. After successful update, locate rule ID 23614 in the default rule library to view details.

Note: The upgrade restarts the engine automatically without breaking sessions, though a few ping packets may be lost; schedule accordingly.

NSFOCUS Next‑Generation Firewall (NF)

NF users can also upgrade rules:

Download the latest NF upgrade package (example version 6.0.1) from: http://update.nsfocus.com/update/downloads/id/21007

2. Perform the upgrade via the NF rule upgrade interface.

Temporary Protection Measures

Block T3/T3S protocol access using WebLogic's default connection filter (weblogic.security.net.ConnectionFilterImpl). Configure the filter to deny traffic on port 7001 for these protocols.

Steps:

In the WebLogic console, navigate to the domain’s Security tab, then Filters, and edit the connection filter.

2. Set the filter class to

weblogic.security.net.ConnectionFilterImpl

and add the rule

* * 7001 deny t3 t3s

.

3. Save the configuration; the rule takes effect immediately without restarting.

4. Verify protection using detection scripts.

The rule format is:

target localAddress localPort action protocols

, where

target

specifies the server(s),

localAddress

can be a specific IP or '*',

localPort

defines the listening port (or '*'),

action

is

allow

or

deny

, and

protocols

must be one of http, https, t3, t3s, giop, giops, dcom, or ftp.