Attacker Value
High
(3 users assessed)
Exploitability
Moderate
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-2555

Disclosure Date: January 15, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Add Assessment

4
Ratings
Technical Analysis

Since this got a little more attention later in 2020, it’s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we’ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., CVE-2020-14882 and CVE-2020-14750) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.

2
Ratings
Technical Analysis

The vulnerability exists in the LimitFilter class’s toString() method within the Coherence library, a library that exists within WebLogic installations by default.

public String toString() {
    StringBuilder sb = new StringBuilder("LimitFilter: (");
    sb.append(this.m_filter)
      .append(" [pageSize=")
      .append(this.m_cPageSize)
      .append(", pageNum=")
      .append(this.m_nPage);
    if (this.m_comparator instanceof ValueExtractor) {
      ValueExtractor extractor = (ValueExtractor)this.m_comparator;
      sb.append(", top=")
        .append(extractor.extract(this.m_oAnchorTop))
        .append(", bottom=")
        .append(extractor.extract(this.m_oAnchorBottom));
    } else if (this.m_comparator != null) {
      sb.append(", comparator=")
        .append(this.m_comparator);
    } 
    sb.append("])");
    return sb.toString();
  }

As originally noted in the ZDI blog post, all of the calls to extract() were removed from the aforementioned toString() method in the fix. The removal was due to having the ability to leverage the ReflectionExtractor class’s extract() method to execute arbitrary code via method.invoke().

  public E extract(T oTarget) {
    if (oTarget == null)
      return null; 
    Class<?> clz = oTarget.getClass();
    try {
      Method method = this.m_methodPrev;
      if (method == null || method.getDeclaringClass() != clz)
        this.m_methodPrev = method = ClassHelper.findMethod(clz, 
            getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false); 
      return (E)method.invoke(oTarget, this.m_aoParam);
    } catch (NullPointerException e) {
      throw new RuntimeException(suggestExtractFailureCause(clz));
    } catch (Exception e) {
      throw ensureRuntimeException(e, clz
          .getName() + this + '(' + oTarget + ')');
    } 
  }

The prerequisite for being able to leverage extract() to execute code is to first trigger the toString() method from the LimitFilter class. The BadAttributeValueExpException class within the JRE meets the prereq, as can be seen in its readObject() method:

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ObjectInputStream.GetField gf = ois.readFields();
        Object valObj = gf.get("val", null);

        if (valObj == null) {
            val = null;
        } else if (valObj instanceof String) {
            val= valObj;
        } else if (System.getSecurityManager() == null
                || valObj instanceof Long
                || valObj instanceof Integer
                || valObj instanceof Float
                || valObj instanceof Double
                || valObj instanceof Byte
                || valObj instanceof Short
                || valObj instanceof Boolean) {
            val = valObj.toString();
       ...
    }

Provided that the server does not have a Security Manager, sending a serialized BadAttributeValueExpException object to a WebLogic server will result in the toString() method being triggered. As of now, Weblogic installations do not come with a Security Manager by default.

I would rate this vulnerability as quite high, since successful exploitation does not require authentication, and the application accepts the crafted object without any sort of filtering. This is an important one to patch.

1
Technical Analysis

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • oracle

Products

  • access manager 11.1.2.3.0,
  • coherence 12.1.3.0.0,
  • coherence 12.2.1.3.0,
  • coherence 12.2.1.4.0,
  • coherence 3.7.1.0,
  • commerce platform,
  • commerce platform 11.0.0,
  • commerce platform 11.1.0,
  • commerce platform 11.2.0,
  • communications diameter signaling router,
  • healthcare data repository 7.0.1,
  • rapid planning 12.1,
  • rapid planning 12.2,
  • retail assortment planning 15.0,
  • retail assortment planning 16.0,
  • utilities framework,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0

Exploited in the Wild

Reported by:
Technical Analysis