Shulou(Shulou.com)06/01 Report--

WebLogic deserialization vulnerability (CVE-2018-2628) Security Alert

TAG

Oracle WebLogic, CVE-2018-2628, deserialization

Level of concern

Red, this vulnerability is easy to exploit, can directly obtain system control rights, and may be exploited by attackers.

Release date

2018-4-18

Version

V1.0

one。 Overview of vulnerabilities

In the early morning of April 18, Beijing time, Oracle officially released a key patch update CPU (Critical Patch Update) for April, which contains a high-risk remote code execution vulnerability (CVE-2018-2628) that allows an attacker to remotely execute arbitrary code without authorization.

CVSS score: 9.8 cvsv Svsv v s v r R I V I V S H

two。 Scope of influence

Affected version

L Weblogic 10.3.6.0

L Weblogic 12.1.3.0

L Weblogic 12.2.1.2

L Weblogic 12.2.1.3

The above are all officially supported versions

three。 Loophole protection

If you use Nginx/Apache to configure reverse proxy to access Weblogic applications, direct access to Weblogic T3 will be restricted, and this vulnerability will not be exploited directly.

3.1 Patch repair

Officials have fixed this vulnerability in a key patch update released in April. Please refer to the link:

Http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

For the patch update operation, please refer to the link:

Https://docs.oracle.com/middleware/12213/lcm/OPATC/GUID-56D6728D-5EDC-482B-B2E4-DDB20A64FA32.htm#OPATC143

The vulnerability can be fixed by upgrading the corresponding patch of weblogic.

3.2 it is recommended to configure blacklist solution

Attacks against this vulnerability can be temporarily blocked by controlling access to the T3 protocol. WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl, which accepts all incoming connections, through which you can configure rules to access the T3 and T3s protocols. The detailed steps are as follows:

1. Go to the Weblogic console, on the configuration page of base_domain, go to the "Security" tab page, click "filter" to enter the connection filter configuration.

two。 Enter: weblogic.security.net.ConnectionFilterImpl in the connection filter and * * 7001 deny T3 T3 in the connection filter rule

Connection filter content input:

127.0.0.1 * 7001 allow

192.168.1.100 * 7001 allow

* * 7001 deny T3 T3s

* * 8080 deny T3 T3s

Description:

The purpose of the configuration is to allow only the server itself and the servers in the cluster to connect to this server through the T3 protocol. Prohibit connections from other IP addresses to the corresponding ports through the T3 and T3s protocols.

Suppose: console port 7001192.168.1.100 is the real IP address of the server. If the servers in the cluster access each other through the console port, you also need to add the corresponding IP address, and 8080 is the application service port.

If configured incorrectly, it may cause the service to fail to start. If the service fails to start, you can modify the contents of the config/config.xml file and restore or modify the configuration.

3. Activate changes after saving the rule.

Connection filter rule format such as: target localAddress localPort action protocols, where:

L target specifies one or more servers to filter.

L localAddress defines the host address of the server. (if specified as an asterisk (*), the matching result returned will be all local IP addresses.)

L localPort defines the port on which the server is listening. (if an asterisk is specified, the result returned by the match will be all available ports on the server.)

L action specifies the action to be performed. (the value must be "allow" or "deny".)

L protocols is a list of protocol names to match. (one of the following protocols must be specified: http, https, T3, T3, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.

4. Restart the service.

Single:/home/oracle@db > ps-ef | grep weblogic

Root 5038 5012 0 10:00 pts/2 00:00:00 su-weblogic

Weblogic 5039 5038 0 10:00 pts/2 00:00:00-bash

Weblogic 5623 5039 0 10:41 pts/2 00:00:00 / bin/sh. / startWebLogic.sh

Weblogic 5624 5623 0 10:41 pts/2 00:00:00 / bin/sh / weblogic/Oracle/Middleware/user_projects/domains/weblogic/bin/startWebLogic.sh

Weblogic 5674 5624 99 10:42 pts/2 00:00:31 / usr/java/jdk1.8.0_20/bin/java-server-Xms256m-Xmx512m-XX:MaxPermSize=256m-Dweblogic.Name=AdminServer-Djava.security.policy=/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy-Dweblogic.ProductionModeEnabled=true-da-Dplatform.home=/weblogic/Oracle/Middleware/wlserver_10.3-Dwls.home=/weblogic/Oracle/Middleware/wlserver_10.3/server-Dweblogic.home=/weblogic/Oracle/ Middleware/wlserver_10.3/server-Dweblogic.management.discover=true-Dwlw.iterativeDev=false-Dwlw.testConsole=false-Dwlw.logErrorsToConsole=false-Dweblogic.ext.dirs=/weblogic/Oracle/Middleware/patch_wls1036/profiles/default/sysext_manifest_classpath:/weblogic/Oracle/Middleware/patch_ocp371/profiles/default/sysext_manifest_classpath-Dweblogic.management.username=weblogic-Dweblogic.management.password=weblogic_123 weblogic.Server

Root 5716 4743 0 10:42 pts/1 00:00:00 grep weblogic

Single:/home/oracle@db > kill-9 5674

Single:/home/oracle@db > su-weblogic

Single:/weblogic/Oracle/Middleware/user_projects/domains/weblogic@weblogic > nohup. / startWebLogic.sh &

[1] 5835

Single:/weblogic/Oracle/Middleware/user_projects/domains/weblogic@weblogic > nohup: ignoring input and appending output to `nohup.out'

Single:/weblogic/Oracle/Middleware/user_projects/domains/weblogic@weblogic >

This problem can also be solved by configuring the blacklist.

four。 Vulnerability impact troubleshooting

4.1 version check

Use the following command to troubleshoot the WebLogic version

$cd / lopt/bea92sp2/weblogic92/server/lib

$java-cp weblogic.jar weblogic.version

This vulnerability affects all currently supported versions of Oracle, and enterprises using Weblogic middleware also need to check whether Weblogic ports are open to the Internet (default ports 7001 and 7002), if the Weblogic T3 service can be accessed remotely. There is a risk of vulnerabilities, please strengthen the affected users in time. Vulnerability exploitation troubleshooting

When Weblogic middleware is attacked, a class conversion exception is reported and the exception information is output in the AdminServer.log log. Therefore, by looking at the AdminServer.log file, you can determine whether the Weblogic server has been exploited by this vulnerability.

The location of the AdminServer.log is:

\ Oracle\ Middleware\ Oracle_Home\ user_projects\ domains\ base_domain\ servers\ AdminServer\ logs\ AdminServer.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.