Aperçu
Oracle WebLogic Server contains a critical remote code execution vulnerability in its IIOP (Internet Inter-ORB Protocol) implementation that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability exists in the deserialization of untrusted data received over the network, affecting multiple versions of WebLogic Server across different product lines. La vulnérabilité a été divulguée le January 15, 2020. CISA a identifié CVE-2020-2551 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Oracle WebLogic Server is vulnerable to remote code execution through its IIOP (Internet Inter-ORB Protocol) implementation. The vulnerability stems from improper validation and deserialization of serialized Java objects received over IIOP connections. An attacker can craft a malicious serialized object that, when deserialized by the server, executes arbitrary code with the privileges of the WebLogic process. The IIOP protocol is enabled by default on WebLogic instances, making the vulnerability exploitable over the network without authentication.
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated remote attacker can execute arbitrary code on the affected WebLogic server with the same privileges as the WebLogic process. This can lead to complete system compromise, including data theft, malware installation, lateral movement within the network, denial of service, and use of the compromised server as a pivot point for further attacks. The vulnerability has been widely exploited in the wild and is a critical security issue for any organization running affected WebLogic versions.
Mitigation et contournements
Oracle released Critical Patch Update (CPU) on January 14, 2020. Apply the appropriate patch bundle for your WebLogic version. Download from My Oracle Support (MOS) patch number 30660046 or through the WebLogic Patch Advisor. Les versions suivantes incluent les correctifs nécessaires : WebLogic Server 10.3.6.0.200121, WebLogic Server 12.1.3.0.200121, WebLogic Server 12.2.1.3.200121, WebLogic Server 12.2.1.4.200121.
Comme contournements temporaires : disable iiop protocol if not required for your environment. set the iiop listen port to null or configure network firewall rules to restrict iiop port access (default ports 7001, 7002) to trusted sources only.; implement network-level access controls to restrict connections to iiop ports. use firewalls or network segmentation to allow only trusted internal networks to access the iiop protocol.; implement java deserialization filters using weblogic's deserialization filter capabilities (available in later versions or via patches). configure filters to whitelist safe classes and block dangerous gadget chain classes., et remove unnecessary libraries from weblogic classpath that could be used for gadget chains (e.g., commons-collections if not required by applications)..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
