Oracle released Critical Patch Update (CPU) for January 2020, announcing a remote code execution vulnerability (CVE-2020-2551) in the Internet Inter-ORB Protocol (IIOP) used by the WLA component in WebLogic.
This vulnerability exists in the core component of the WebLogic Server and can be triggered when the WebLogic Server is at default settings without administrative authentication and extra interaction, exerting an extensive impact.
Via IIOP, an attacker could access the remote interface of the WebLogic Server to deliver malicious data, in a bid to gain server privileges and execute arbitrary code remotely without authorization. Oracle assigns a CVSS score of 9.8 to this vulnerability.
The IIOP protocol is used to access remote objects as a Java interface. By default, it is enabled.
For details about the Oracle CPU, please visit the following link:
The following versions are affected by the CVE-2020-2551 vulnerability:
- Oracle Weblogic Server 10.3.6.0.0 (official patch to be released on January 31)
- Oracle Weblogic Server 220.127.116.11.0 (official patch to be released on January 31)
- Oracle Weblogic Server 18.104.22.168.0 (official patch is available)
- Oracle Weblogic Server 22.214.171.124.0 (official patch is available)
Check for the Vulnerability
3.1 Local Check
You can use the following commands to check the WebLogic version and whether the patch is installed.
|$ cd /Oracle/Middleware/wlserver_10.3/server/lib
$ java -cp weblogic.jar weblogic.version
If no patch installation information is shown in the execution result, your WebLogic sever is vulnerable.
4.1 Official Fix
In the Oracle CPU for January 2020, Oracle released patches for WebLogic Server 126.96.36.199 and 188.8.131.52. Affected users are advised to download and apply the corresponding patch as soon as possible.
Patches for WebLogic Server 10.3.6.0.0 and 184.108.40.206.0 will be released on January 31, 2020. Users are advised to check Oracle’s official security bulletins from time to time to get the related patch as soon as possible. Before patches are available, users should use the workaround described in section 4.2.
Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patch.
The risk of this vulnerability can be mitigated by disabling the IIOP protocol. To disable the IIOP protocol, follow these steps:
Access the administration console of WebLogic Server. Choose Service > AdminServer > Protocol, deselect Enable IIOP, and restart the WebLogic Server to make the setting take effect.
- NSFOCUS’s Recommendations
4.3.1 Detection Services and Products from NSFOCUS
You can use NSFOCUS RSAS V6, NIPS, and UTS to check for the vulnerability in internal assets:
- Remote Security Assessment System (RSAS V6) plug-ins:
- NSFOCUS Intrusion Detection System (NIDS)
- Unified Threat Sensor (UTS)
You can download upgrade packages from the following links to upgrade these devices to the latest version for vulnerability detection.
4.3.2 Protection Products from NSFOCUS
- NSFOCUS Network Intrusion Prevention System (NIPS)
You can download upgrade packages from the following links to upgrade these devices to the latest version for vulnerability protection.
4.3.3 Upgrade Package/Rule Base Versions of Detection and Protection Products
|Detection Product||Upgrade Package/Rule Base Version|
|RSAS V6 System Plug-in Package||V6.0R02F01.1704|
|NIDS||V220.127.116.115, V18.104.22.16897, and V22.214.171.12497|
- RSAS V6 system plug-in package:
- NIDS upgrade package:
- UTS upgrade package:
|Protection Product||Upgrade Package/Rule Base Version||Rule ID|
|NIPS||V126.96.36.1995, V188.8.131.5297, and V184.108.40.20697||24671|
- NIPS upgrade package:
Currently, Oracle only provides patches for certain versions of the WebLogic server to fix the CVE-2020-2551 vulnerability. According to the Oracle bullitin, patches for other versions will not be published until January 31.
Following is the brief description of this vulnerability:
When the IIOP protocol is enabled (enabled by default) on WebLogic server which requires no administrator authentication and extra interaction, an attacker could exploit this vulnerability to take over the server and obtain sensitive information through remote code execution.
TSA – V2.0R00F02 (importing a rule upgrade package)
(1) Access BSA and then select Rule Engine, as shown in the following figure.
(2) Choose Upgrade.
(3) Click Choose File, select tsa_rule.220.127.116.11307.dat, click Import, and then click OK.
(4) Check the upgrade result in the upgrade record area.
TSA – other versions (custom rules)
(1) Access BSA and then select Rule Engine.
(2) Click Create Rule.
(3) Configure intrusion protection rules as follows:
- Mode: Expert
- Category: Network intrusion
select sip, dip, sum(last_times) as atk_count, sip, dip, min(timestamp) as start_time, max(timestamp) as end_time, concat_agg(related_id_list) as related_id_list
where rule_id = 24671
group by sip, dip
(4) Click Next and then set parameters as follows on the Attribute Configuration page:
- Name: WebLogic WLS Component IIOP Protocol Remote Code Execution Vulnerability Attack
- Risk Level: Medium
- Phase: Exploitation
- Timeout: 1800 (default)
- Duration: 3600 (default)
- Merged Attribute: sip, dip
- Event Type: System intrusion – exploit
- Description: This vulnerability could be exploited to bypass the latest security update issued by Oracle in October 2019. Via IIOP, an attacker could access the remote interface of the WebLogic Server to deliver malicious data, in a bid to gain server privileges and execute arbitrary code remotely without authorization.
- Suggestion: Currently, Oracle’s this CPU contains patches only for WebLogic Server V18.104.22.168.0 and those for other versions will be released on January 31. Users are advised to check Oracle’s official security bulletins from time to time to get the related patch as soon as possible. <0
- }}Mitigation: The risk of this vulnerability can be mitigated by disabling the IIOP protocol. To disable the IIOP protocol, follow these steps: Access the administration console of WebLogic Server. Choose Service > AdminServer > Protocol, deselect Enable IIOP, and restart WebLogic items to make the setting take effect.
(5) Click Complete to complete configuration of the website security rule.
(6) Enable the rule in the rule list.
(1) Log in to ESP/ESP-H.
(2) Choose Security Analysis > Event Rules.
(3) Click Import Rule (*.dat). For the ESP-H F07 series, import the rule package ESP-EVENTRULE-001-20200116.dat.For ESP or ESP-H F06 series, import the rule package ESP-EVENTRULE-002-20200116.dat.
6.1.2 NSFOCUS Threat Analysis and Management Platform (TAM, New Version)
Update the rule for protection against the WebLogic vulnerability exploit attempt. The procedure is as follows:
(1) Access TAM.
(2) Choose Scenario Management > Scenario Configuration and click Upload in the upper-right corner of the page to upload tam_rule.22.214.171.124109.dat.
If the upload succeeds, a message is displayed next to Upload to indicate the upload success.
6.1.3 NSFOCUS Intelligent Security Operation Platform (ISOP)
(1) Log in to NSFOCUS ISOP and install the rule upgrade package to attack_rule.126.96.36.199.203289.
(2) Click System Update.
(2) Click Unified Rule Package Update, select the rule upgrade package attack_rule.188.8.131.52.203289, and click Update after the package is uploaded.
Upgrade package download link:
- Scanning Configuration on RSAS
To use RSAS to scan for this vulnerability, users should download the latest plug-in version.
For example, you can download the rule package for RSAS V6.0 from the following link:
On RSAS, choose Services > System Upgrade, and click Select File in the Manual Upgrade area to select the update file just downloaded.
Wait for the installation to complete. After the update, you can create a custom scanning template to scan the system for this vulnerability.
- Detection Configuration on UTS
Download the latest rule update of UTS from the following link:
On UTS, choose System > System Upgrade > Offline Upgrade and browse to the update file just downloaded and click Upload.
Wait for the installation to complete.
- Protection Configuration on NIPS
NIPS users can address this vulnerability by updating the rule base. The procedure is as follows:
You can download the latest rule base of NSFOCUS NIPS from our official website. Following is a link to the latest rule base for NSFOCUS NIPS V5.6.10:
On the web-based manager of NSFOCUS NIPS, choose System > System Update > Offline Update and browse to the update file just downloaded and click Upload.
After the update is installed, retrieve rule ID 24671 from the default rule base to view rule details.
Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000. Headquartered in Beijing, the company has more than 30 branches and subsidiaries at home and abroad, providing most competitive security products and solutions for government, carrier, financial, energy, Internet, education, and healthcare sectors to ensure customers’ business continuity.
Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.
NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.