Customer Alert – 5/12/2020

Security researchers publish new details showing how to bypass Oracle WebLogic patch. Waratek customers are protected by default rule.

Security researchers have published additional details about CVE-2020-2883 that patches a WebLogic deserialization flaw that allows attackers to by-pass a previous vendor patch of CVE-2020-2555.

Background

CVE-2020-2883 is a deserialization patch in Oracle’s April 2020 Critical Patch Update that affects the Oracle WebLogic server. A new proof of concept exploit was released on GitHub recently and is actively being used to attack WebLogic servers in the wild according to Oracle. New technical details of the vulnerability and how the exploit works have been published by the Zero Day Initiative.

Discussion

CVE-2020-2883 is a critical deserialization flaw in WebLogic that patches a vulnerability that allows attackers to bypass a patch of CVE-2020-2555. According to ZDI, the original patch for CVE-2020-2555 did not address the lower portion of the following gadget chain:

Any ability to invoke ChainedExtractor.extract() will still result in remote code execution. The report from researcher Quynh Le shows that it is still possible to reach ChainedExtractor.extract() via the ExtractorComparator and AbstractExtractor classes.

ZDI has published a video that shows how to exploit the CVE-2020-2883 remote code execution flaw in Weblogic.

Using maliciously-crafted serialized gadget chains, unauthenticated attackers can execute arbitrary code (Remote Code Execution – RCE) in the context of the affected application. Successful attacks can allow attackers to completely compromise the system, including deploying ransomware. Failed attacks could also result in Denial-of-Service conditions. Because of the simplicity of the attack as well as its impact, the vulnerability ranks 9.8 out of 10 on the CVSSv3 scale.

More specifically, the CVE-2020-2883 flaw is caused by the way the proprietary T3 protocol handles deserialized data streams. The flaw exists in the core component of WebLogic as well as within the Oracle Coherence library. Authentication is not required to exploit this vulnerability.

Products Affected

  • WebLogic 10.3.6.0.0
  • WebLogic 12.1.3.0.0
  • WebLogic 12.2.1.3.0
  • WebLogic 12.2.1.4.0
  • Java Cloud Service (all versions)

 References

Action Steps

Waratek Secure and Waratek Upgrade customers are already protected by the deserial/marshal rule that is standard protection in the Waratek application security platform. Waratek’s process forking rule, available in Waratek Patch, Secure and Upgrade also mitigates the attacks. Waratek Secure rules provide protection against known and zero-day attacks with zero configuration and no source code changes. Waratek’s out-of-the-box zero-day protection not only protects the Oracle WebLogic versions that are patched by the Oracle April CPU but also protects legacy, end-of-life WebLogic releases.

Non-Waratek customers are advised to:

  1. Apply the April 2020 CPU as soon as possible
  2. Configure the JEP-290 global serialization blacklist with known, dangerous, gadgets
  3. Apply standard security hardening steps to restrict access via the T3 protocol, such as restricting the traffic and ports that must allowed

Java Cloud Service users should also apply the relevant JCS patch.

Oracle, in a blog post, urges customers to avoid delays and fast-track the deployment of the April CPU in order to patch the critical flaw in WebLogic Server.

For more information about how Waratek protects against CVE-2020-2883 without downtime, source code or configuration changes or blacklists, please contact your Waratek representative or schedule a demonstration.

 

About Waratek

 

Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

 

Waratek is the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, is a previous winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions. For more information, visit www.waratek.com.

 

Apostolos Giannakidis

Author Apostolos Giannakidis

Apostolos drives the research and the design of the security features of Waratek’s RASP container. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.Apostolos is acknowledged by Oracle for submitting two Java Deserialization vulnerabilities that were fixed in the Oracle January 2018 CPU and is featured on Google’s Vulnerability Reward Program Hall of Fame.

More posts by Apostolos Giannakidis
X