Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-2883: Oracle WebLogic Deserialization Vulnerability Exploited in the Wild

Following initial reports that attackers were exploiting a vulnerability in Oracle WebLogic Server, researchers have shared more information about the flaw and its connection to CVE-2020-2555, just as a proof-of-concept has become available.

Background

On April 14, Oracle released its Critical Patch Update (CPU) for April 2020, a quarterly round-up of fixes across its product line that addressed hundreds of CVEs, including 51 patches in Oracle Fusion Middleware. On April 30, Oracle published a blog post strongly encouraging customers to apply these patches “without delay.” This was prompted by reports the vendor had received suggesting attackers were attempting to exploit “a number of recently patched” flaws, including a critical vulnerability in Oracle WebLogic Server.

Analysis

CVE-2020-2883 is a deserialization vulnerability in Oracle WebLogic Server, specifically in the Oracle Coherence library, an in-memory data grid solution that compresses/decompresses data (both serialized and unserialized) to provide fast access to frequently used data across a grid of assets. To exploit the flaw, a remote, unauthenticated attacker would need to send a specially crafted request to the T3 port on a vulnerable WebLogic server. Successful exploitation would result in the attacker gaining remote code execution.

Sivathmican Sivakumaran, a vulnerability researcher at The Zero Day Initiative (ZDI) published a blog post on May 11 that provides further details on the vulnerability.

CVE-2020-2883 is a bypass of CVE-2020-2555

In March 2020, Sivakumaran published a blog about CVE-2020-2555, another deserialization vulnerability in Oracle WebLogic Server, which was patched in Oracle’s CPU for January 2020. It was reported to Oracle by Jang Nguyen, a researcher at VNPT Information Security Center (ISC).

Nguyen has published “The Art of Deserialization Gadget Hunting,” a three-part series on the VNPT blog. On March 12, Nguyen reported in the third part of the blog series that CVE-2020-2555 was not completely fixed.

Source: VNPT ISC Blog (Translated)

Sivakumaran also noted this incomplete fix in his blog.

Source: ZDI Blog on CVE-2020-2883

Quynh Le of VNPT ISC reported the bypass through ZDI, though Nguyen is also credited with finding CVE-2020-2883 on Oracle’s April CPU page along with a few other researchers.

For full details about the vulnerability, including a full gadget chain along with exploitation video demos, please refer to Sivakumaran’s blog post.

Expanded attack surface: Oracle Business Intelligence

As previously noted, this vulnerability resides in the Coherence library. Coherence can be used in Web Application servers such as WebLogic, Glassfish, Hibernate and Spring, and is embedded in many other Enterprise Applications created using the Oracle Fusion Middleware/WebLogic Application suite. In addition to Java-based applications, it can also support C++ and .NET clients per its documentation.

Sivakumaran’s blog specifies that other applications would also be vulnerable if the Coherence library is “in its code path where there is a path to deserialization.” As an example, he cites Oracle Business Intelligence, due to the fact that it is “deployed on Oracle WebLogic.”

Sivakumaran also mentions pairing one of the gadget chains from his blog post to exploit a separate vulnerability, CVE-2020-2950, a deserialization vulnerability in Oracle Business Intelligence, which would also result in remote code execution.

CVE-2020-2883 exploited in the wild

Details about the in-the-wild exploitation of CVE-2020-2883 are understandably limited at this time. However, the availability of exploit code for CVE-2020-2555 and a similar gadget chain exploit path has provided attackers with enough information to exploit this flaw. Additionally, Oracle’s use of the phrase “without delay” in its blog post underscores the importance of patching this flaw as soon as possible.

Proof of concept

Security researcher “Y4er” published a PoC to a GitHub repository on May 10 for CVE-2020-2883. The researcher previously published a PoC framework for CVE-2020-2555 on March 8. The instructions for CVE-2020-2883 include cloning the CVE-2020-2555 framework as the first step before utilizing the CVE-2020-2883 PoC.

Tenable Research engineers have confirmed exploitation of this remote code execution vulnerability on an Oracle WebLogic Server version 12.2.1.4 Linux asset within the Tenable Research labs. We have not yet confirmed exploitation of a Windows asset as of yet.

In the GIF above, we show the exploit successfully executed on the left side of the screen with the remote asset querying the attackers web server searching for the “TenableResearch_CVE-2020-2883_PoC” file.

Using a slightly different attack, we are able to create a reverse shell to the attacker’s PowerShell terminal, as shown in the GIF below.

Solution

Oracle released patches for CVE-2020-2883 and CVE-2020-2950 as part of the Oracle CPU for April 2020. The following versions of WebLogic Server are affected:

Oracle WebLogic Server Affected Versions
10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0

We strongly recommend applying those patches as soon as possible. Oracle also published security guidance to restrict the Oracle WebLogic Server T3/T3S protocol traffic if patching is not an option or to further secure a patched version.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training