Oracle released Critical Patch Update (CPU) for April 2020 that fixes multiple vulnerabilities of different risk levels, including two critical ones (CVE-2020-2883 and CVE-2020-2884) with a CVSS score of 9.8 that allow unauthenticated attackers with network access via T3 to compromise vulnerable Oracle WebLogic Server. Successful exploitation could result in takeover of Oracle WebLogic Server, hence remote code execution.
The two vulnerabilities that exist in the Core component of WebLogic Server could be exploited without authentication or additional interaction. Since the T3 protocol is enabled by default on the WebLogic console, the two vulnerabilities can cause an extensive impact. Affected users are strongly advised to apply protection measures as soon as possible for risk aversion.
Researchers from NSFOCUS has reproduced the preceding vulnerabilities immediately upon their discovery.
For details about the Oracle CPU, please visit the following link:
- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 188.8.131.52.0
- Oracle WebLogic Server 184.108.40.206.0
- Oracle WebLogic Server 220.127.116.11.0
Check for the Vulnerabilities
- Local Check
Run the following commands to view the WebLogic version and installed patches:
|$ cd /Oracle/Middleware/wlserver_10.3/server/lib
$ java -cp weblogic.jar weblogic.version
The command output below shows that WebLogic has no patch installed and thus is at risk.
Oracle has released patches to fix the vulnerabilities in question. Affected users should visit the official security bulletin link to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.
Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.
You can temporarily block attacks based on these vulnerabilities by restricting network access via T3. The procedure is as follows:
- Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
- Type security.net.ConnectionFilterImpl in the Connection Filter field and configure connection filter rules as required in the Connection Filter Rules field. Rule formats are as follows:
|127.0.0.1 * * allow t3 t3s
Local IP * * allow t3 t3s
Allowed IP * * allow t3 t3s
* * * deny t3 t3s
- Click Save to make the rules take effect. If rules do not take effect, you are advised to restart the WebLogic service. It should be noted that restarting the WebLogic service will cause service interruption for a short while, and therefore you need to ask related personnel to evaluate the service impact before this operation.
Using NSFOCUS’s Detection Product or Service to Detect the Vulnerabilities
For internal assets, you can use NSFOCUS Remote Security Assessment System (RSAS V6), Web Vulnerability Scanning System (WVSS), Network Intrusion Detection System (NIDS), or Unified Threat Sensor (UTS) to check for the vulnerabilities:
- RSAS V6:
- Upgrade Package/Rule Base Versions of Detection and Protection Products
|Detection Product||Upgrade Package/Rule Base Version|
|RSAS V6’s System Plug-in||6.0R02F01.1804|
|RSAS V6’s Web Plug-in||6.0R02F00.1702|
|WVSS V6’s Plug-in||6.0R03F00.159|
- RSAS V6’s system plug-in package download link:
- RSAS V6’s web plug-in package download link:
- WVSS V6’s plug-in package download link:
- NIDS upgrade package download links:
- UTS upgrade package download link:
Using NSFOCUS’s Protection Product or Service to Protect Against the Exploitation of the Vulnerabilities
You can use NSFOCUS Network Intrusion Protection System (NIPS) to protect against these vulnerabilities.
- Upgrade Package/Rule Base Versions of Protection Products
|Protection Product||Upgrade Package/Rule Base Version||Rule ID|
- NIPS upgrade package download links:
Upgrading NSFOCUS’s Security Platforms
|Platform||Upgrade Package/Rule Base Version|
|NSFOCUS Enterprise Security Platform Solution (ESP)
NSFOCUS Enterprise Security Platform (Host) (ESP-H) F06
|NSFOCUS ESP-H F07||ESP-EVENTRULE-003-20200221|
|NSFOCUS Intelligent Security Operation Platform Solution (ISOP)||18.104.22.168.210052|
- ESP and ESP-H F06 upgrade package download link:
- ESP-H F07 upgrade package download link:
- ISOP upgrade package download link:
Appendix: Product Use Guides
Scanning Configuration on RSAS
- On RSAS, under Services > System Upgrade, click Choose File in the Manual Upgrade area and find the update file just downloaded.
- Click Upgrade.
- 3. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.
Scanning Configuration on WVSS
On WVSS, under Services > System Upgrade, in the Manual Upgrade area, click Browse to find the update file just downloaded.
Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.
Detection Configuration on UTS
On UTS, under System > System Upgrade > Offline Upgrade, browse to the update file just downloaded and click Upload.
Protection Configuration on NIPS
On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.
After the update is installed, find the rule by ID 24298 in the default rule base and view rule details.
Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.
Configuration on ISOP
First, log in to the ISOP platform and click System Upgrade.
Then, on the Unified Rule Base Upgrade page, select Attack Identification Rule Package, upload the latest rule upgrade package, and click Upgrade.
Configuration on ESP
- Log in to the ESP or ESP-H platform.
- Choose Security Analysis > Event Rule.
- Click Import Rule.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.