Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Example Analysis of WebLogic remote Code execution vulnerability CVE-2020-14645

2025-01-20 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of WebLogic remote code execution vulnerability CVE-2020-14645. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Overview of vulnerabilities:

Oracle has officially released a WebLogic security update, which fixes a serious vulnerability (CVE-2020-14645) with a CVSS score of 9.8, which is exploited by T3 and IIOP protocols, allowing attackers to achieve remote code execution and then take control of the server. As the exploit complexity is low and the risk is high, it is recommended to repair the vulnerability as soon as possible.

Discovery process:

When testing the historical vulnerability of WebLogic, Tencent Blue Army (Tencent Force) found that the patch repair was not comprehensive and there was a way to bypass Oracle Coherence.

Impact:

Affected version: Oracle WebLogic Server 12.2.1.4

Utilization condition: the open T3/IIOP protocol can be utilized by default

Number of impacts: we use Zhi Chuangyu ZoomEye Quick search to find that more than 100000 WebLogic services are available on the public network (about 1/5 in China), some of which do not disable the T3 protocol. ZoomEye's good cyberspace search capability allows us to quickly and initially assess the magnitude of impact.

Self-examination method:

WebLogic is a Java application server produced by Oracle for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. T3/IIOP protocol and HTTP protocol multiplex port 7001, which is enabled at the same time by default.

We can check whether our assets have open T3 protocol and WebLogic version information through Nmap:

Nmap-n-v-Pn-sV IP address-p port-script=/usr/share/nmap/scripts/weblogic-t3-info.nse

PORT STATE SERVICE

7001/tcp open afs3-callback

| | _ weblogic-t3-info: T3 protocol in use (WebLogic version: 12.2.1.4) |

Check whether your assets have open IIOP protocol and WebLogic version information through the console:

Vulnerability exploitation:

Evasion plan: 1. Install the official patch.

Https://www.oracle.com/security-alerts/cpujul2020.html

2. Restrict T3 access sources

The vulnerability is caused by the T3 protocol enabled by WebLogic by default, so attacks can be prevented by restricting T3 access sources.

3. Disable IIOP protocol

You can check the official article below to close the IIOP agreement.

Https://docs.oracle.com/middleware/1213/wls/WLACH/taskhelp/channels/EnableAndConfigureIIOP.html

Risk summary:

For the problem of using WebLogic T3/IIOP protocol to deserialize and execute arbitrary code, Oracle has been using blacklist to fix it, which can only defend against known deserialization attack chain, while new deserialization attack chain is constantly excavated and blacklist is constantly bypassed. It is recommended that you must limit T3 access sources and close IIOP protocol to reduce the attack surface.

At present, Tencent's traffic, hosts, scanners and other security systems have the ability to detect and protect.

This is the end of the example analysis of the WebLogic remote code execution vulnerability CVE-2020-14645. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report