WebLogic Remote Code Execution Vulnerabilities (CVE-2020-2883 and CVE-2020-2884) Protection Solution

WebLogic Remote Code Execution Vulnerabilities (CVE-2020-2883 and CVE-2020-2884) Protection Solution

May 19, 2020 | Mina Hao

Overview

Oracle released Critical Patch Update (CPU) for April 2020 that fixes multiple vulnerabilities of different risk levels, including two critical ones (CVE-2020-2883 and CVE-2020-2884) with a CVSS score of 9.8 that allow unauthenticated attackers with network access via T3 to compromise vulnerable Oracle WebLogic Server. Successful exploitation could result in takeover of Oracle WebLogic Server, hence remote code execution.

The two vulnerabilities that exist in the Core component of WebLogic Server could be exploited without authentication or additional interaction. Since the T3 protocol is enabled by default on the WebLogic console, the two vulnerabilities can cause an extensive impact. Affected users are strongly advised to apply protection measures as soon as possible for risk aversion.

Researchers from NSFOCUS has reproduced the preceding vulnerabilities immediately upon their discovery.

For details about the Oracle CPU, please visit the following link:

https://www.oracle.com/security-alerts/cpuapr2020.html

Affected Versions

  • Oracle WebLogic Server 10.3.6.0.0
  • Oracle WebLogic Server 12.1.3.0.0
  • Oracle WebLogic Server 12.2.1.3.0
  • Oracle WebLogic Server 12.2.1.4.0

Check for the Vulnerabilities

  • Local Check

Run the following commands to view the WebLogic version and installed patches:

$ cd /Oracle/Middleware/wlserver_10.3/server/lib

$ java -cp weblogic.jar weblogic.version

The command output below shows that WebLogic has no patch installed and thus is at risk.

Technical Solutions

  • Official Fix

Oracle has released patches to fix the vulnerabilities in question. Affected users should visit the official security bulletin link to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.

  • Workaround

You can temporarily block attacks based on these vulnerabilities by restricting network access via T3. The procedure is as follows:

  1. Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
  2. Type security.net.ConnectionFilterImpl in the Connection Filter field and configure connection filter rules as required in the Connection Filter Rules field. Rule formats are as follows:
127.0.0.1 * * allow t3 t3s

Local IP * * allow t3 t3s

Allowed IP * * allow t3 t3s

* * * deny t3 t3s

 

  1. Click Save to make the rules take effect. If rules do not take effect, you are advised to restart the WebLogic service. It should be noted that restarting the WebLogic service will cause service interruption for a short while, and therefore you need to ask related personnel to evaluate the service impact before this operation.
  • NSFOCUS’s Recommendations

Using NSFOCUS’s Detection Product or Service to Detect the Vulnerabilities

For internal assets, you can use NSFOCUS Remote Security Assessment System (RSAS V6), Web Vulnerability Scanning System (WVSS), Network Intrusion Detection System (NIDS), or Unified Threat Sensor (UTS) to check for the vulnerabilities:

  • RSAS V6:

http://update.nsfocus.com/update/listRsas

  • WVSS:

http://update.nsfocus.com/update/listWvss

  • NIDS:

http://update.nsfocus.com/update/listIds

  • UTS:

http://update.nsfocus.com/update/bsaUtsIndex

  • Upgrade Package/Rule Base Versions of Detection and Protection Products
Detection Product Upgrade Package/Rule Base Version
RSAS V6’s System Plug-in 6.0R02F01.1804
RSAS V6’s Web Plug-in 6.0R02F00.1702
WVSS V6’s Plug-in 6.0R03F00.159
NIDS 5.6.10.22420, 5.6.9.22420
UTS 5.6.10.22154

 

  • RSAS V6’s system plug-in package download link:

http://update.nsfocus.com/update/downloads/id/104435

  • RSAS V6’s web plug-in package download link:

http://update.nsfocus.com/update/downloads/id/104252

  • WVSS V6’s plug-in package download link:

http://update.nsfocus.com/update/downloads/id/104262

  • NIDS upgrade package download links:

5.6.10.22420

http://update.nsfocus.com/update/downloads/id/104039

5.6.9.22420

http://update.nsfocus.com/update/downloads/id/104038

  • UTS upgrade package download link:

http://update.nsfocus.com/update/downloads/id/103172

Using NSFOCUS’s Protection Product or Service to Protect Against the Exploitation of the Vulnerabilities

You can use NSFOCUS Network Intrusion Protection System (NIPS) to protect against these vulnerabilities.

  • NIPS:

http://update.nsfocus.com/update/listIps

  • Upgrade Package/Rule Base Versions of Protection Products
Protection Product Upgrade Package/Rule Base Version Rule ID
NIPS 5.6.10.22420

5.6.9.22420

23614

 

  • NIPS upgrade package download links:

5.6.10.22420

http://update.nsfocus.com/update/downloads/id/104039

5.6.9.22420

http://update.nsfocus.com/update/downloads/id/104038

Upgrading NSFOCUS’s Security Platforms

Platform Upgrade Package/Rule Base Version
NSFOCUS Enterprise Security Platform Solution (ESP)

NSFOCUS Enterprise Security Platform (Host) (ESP-H) F06

ESP-EVENTRULE-004-20200221
NSFOCUS ESP-H F07 ESP-EVENTRULE-003-20200221
NSFOCUS Intelligent Security Operation Platform Solution (ISOP) 1.0.0.0.210052

 

  • ESP and ESP-H F06 upgrade package download link:

http://update.nsfocus.com/update/downloads/id/102586

  • ESP-H F07 upgrade package download link:

http://update.nsfocus.com/update/downloads/id/102585

  • ISOP upgrade package download link:

http://update.nsfocus.com/update/downloads/id/103918

Appendix: Product Use Guides

  • Scanning Configuration on RSAS

  1. On RSAS, under Services > System Upgrade, click Choose File in the Manual Upgrade area and find the update file just downloaded.
  2. Click Upgrade.
  3. 3. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.
  • Scanning Configuration on WVSS

On WVSS, under Services > System Upgrade, in the Manual Upgrade area, click Browse to find the update file just downloaded.

Click Upgrade.

Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.

  • Detection Configuration on UTS

On UTS, under System > System Upgrade > Offline Upgrade, browse to the update file just downloaded and click Upload.

  • Protection Configuration on NIPS

On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.

After the update is installed, find the rule by ID 24298 in the default rule base and view rule details.

Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.

  • Configuration on ISOP

First, log in to the ISOP platform and click System Upgrade.

Then, on the Unified Rule Base Upgrade page, select Attack Identification Rule Package, upload the latest rule upgrade package, and click Upgrade.

  • Configuration on ESP

  1. Log in to the ESP or ESP-H platform.
  2. Choose Security Analysis > Event Rule.
  3. Click Import Rule.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.