Customer Alert – 5/5/2020

By May 5, 2020 May 12th, 2020 Alerts, News

Oracle Weblogic CVE-2020-2883 RCE vulnerability is being remotely exploited: Other risks exist that require urgent action. Waratek customers are protected by default rule

On April 14, 2020, Oracle released the quarterly Critical Patch Update (CPU) that includes 397 patches across Oracle’s product suite. 51 out of the 397 patches are security fixes for the Oracle Fusion Middleware. 8 patches of these are fixes for critical deserialization vulnerabilities.

Background

CVE-2020-2883 is one of the deserialization patches that affects the Oracle WebLogic server and is included in Oracle’s April 2020 Critical Patch Update. At the time there was no public exploit for CVE-2020-2883. However, shortly after the release of the April 2020 Critical Patch Update a proof of concept exploit code was published on GitHub. This exploit is actively being used to attack WebLogic servers in the wild according to Oracle.

Oracle, in a blog post, is now urging customers to avoid delays and fast-track the deployment of the April CPU in order to patch the critical flaw in WebLogic Server.

Discussion

CVE-2020-2883 is a critical deserialization flaw in WebLogic. Using maliciously-crafted serialized gadget chains, unauthenticated attackers can execute arbitrary code (Remote Code Execution – RCE) in the context of the affected application. Successful attacks can allow attackers to completely compromise the system, including deploying ransomware. Failed attacks could also result in Denial-of-Service conditions. Because of the simplicity of the attack as well as its impact, the vulnerability ranks 9.8 out of 10 on the CVSSv3 scale.

More specifically, the CVE-2020-2883 flaw is caused by the way the proprietary T3 protocol handles deserialized data streams. The flaw exists in the core component of WebLogic as well as within the Oracle Coherence library. Authentication is not required to exploit this vulnerability.

The CVE-2020-2883 flaw in the Fusion Middleware is being actively exploited in the wild because a public exploit was released, however, there are seven (7) more deserialization vulnerabilities and 13 critical vulnerabilities overall in the same product suite, including the infamous 4-year old CVE-2016-1000031 vulnerability, that pose serious risks as well.

Products Affected

  • WebLogic 10.3.6.0.0
  • WebLogic 12.1.3.0.0
  • WebLogic 12.2.1.3.0
  • WebLogic 12.2.1.4.0
  • Java Cloud Service (all versions)

 References

Action Steps

Waratek Secure and Waratek Upgrade customers are already protected by the deserial/marshal rule that is standard protection in the Waratek application security platform. Waratek’s process forking rule, available in Waratek Patch, Secure and Upgrade also mitigates the attacks. Waratek Secure rules provide protection against known and zero-day attacks with zero configuration and no source code changes. Waratek’s out-of-the-box zero-day protection not only protects the Oracle WebLogic versions that are patched by the Oracle April CPU but also protects legacy, end-of-life WebLogic releases.

Non-Waratek customers are advised to:

  1. apply the April 2020 CPU as soon as possible
  2. configure the JEP-290 global serialization blacklist with known, dangerous, gadgets
  3. apply standard security hardening steps to restrict access via the T3 protocol, such as restricting the traffic and ports that must allowed

Java Cloud Service users should also apply the relevant JCS patch.

For more information about how Waratek protects against CVE-2020-2883 without downtime, source code or configuration changes or blacklists, please contact your Waratek representative or schedule a demonstration.

 

 

About Waratek

 

Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

 

Waratek is the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, is a previous winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions. For more information, visit www.waratek.com.

Apostolos Giannakidis

Author Apostolos Giannakidis

Apostolos drives the research and the design of the security features of Waratek’s RASP container. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.Apostolos is acknowledged by Oracle for submitting two Java Deserialization vulnerabilities that were fixed in the Oracle January 2018 CPU and is featured on Google’s Vulnerability Reward Program Hall of Fame.

More posts by Apostolos Giannakidis
X