Update December 28, 2020: At least two different botnets are reported to have incorporated exploits for CVE-2020-14882—see analysis from Juniper Threat Labs and Tolisec. Threat activity will certainly continue well into the new year.

Update November 2, 2020: Oracle has released an update to address CVE-2020-14750, which Rapid7 researchers believe to be the patch bypass for this vulnerability, CVE-2020-14882. The analysis for both these patches is detailed later in this document.

Update November 1, 2020: There is at least one patch bypass for CVE-2020-14882 already being shared on the internet. Rapid7 researchers have also successfully tested a patch bypass of our own. A zero-day patch bypass means attackers are able to achieve pre-authentication remote code execution against WebLogic Server instances. At a minimum, defenders should disable console/console.portal if at all possible and take immediate steps to identify suspicious activity or indicators of compromise in their environments.

Update October 30, 2020: A work-in-progress Metasploit module has been published.

Rapid7’s Labs team confirmed that a new Oracle WebLogic honeypot deployment began logging exploit attempts in under 24 hours of deployment. Attacks against our honeypots are not yet high-volume.

Description

On Tuesday, October 20, as part of its October 2020 Critical Patch Update (CPU), Oracle published an advisory on CVE-2020-14882, a critical vulnerability in the console component of WebLogic Server. The vulnerability is trivially exploitable; successful exploitation could allow an unauthenticated, remote attacker to completely take over a vulnerable WebLogic Server. CVE-2020-14882 carries a CVSSv3 base score of 9.8.

The SANS Internet Storm Center (ISC) confirmed that CVE-2020-14882 is being actively exploited in the wild as of October 29, 2020. Security researcher Jang has technical details and a proof-of-concept (PoC) publicly available here (post in Vietnamese).

Rapid7’s Labs team has data on vulnerable internet-exposed WebLogic servers here. We urge Oracle WebLogic Server customers to patch as soon as possible—see full guidance below.

Affected products

The following supported versions of WebLogic Server are vulnerable to CVE-2020-14882, per Oracle’s advisory:

• 10.3.6.0.0
  
• 12.1.3.0.0
  
• 12.2.1.3.0
  
• 12.2.1.4.0
  
• 14.1.1.0.0
  

Rapid7 analysis

CVE-2020-14882 is trivially exploitable with a single request over HTTP. A proof-of-concept exploit has been widely circulated on Twitter, demonstrated on YouTube, and shared across security news sites. In general, WebLogic remote code execution vulnerabilities are frequent, high-value targets for attackers; another critical WebLogic vulnerability (CVE-2020-2555) recently made headlines for its inclusion in the U.S. National Security Agency’s list of vulnerabilities being actively exploited by Chinese state actors. Given the triviality of exploitation, we expect attacks leveraging CVE-2020-14882 to rise quickly as both advanced and commodity attackers add the exploit to their toolkits.

Authentication bypass patch

The original auth bypass (CVE-2020-14882) patch adds an IllegalUrl blocklist that is trivially bypassed by using various forms of double encoding or simply changing the case of the input string.

--- unpatched/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 12:10:25.000000000 -0600
+++ patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 13:13:28.000000000 -0600
@@ -20,6 +20,8 @@

   private static final long serialVersionUID = 1L;

+  private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" };
+
   public static void initMBean() {
     MBeanUtilsInitializer.initMBeanAsynchronously();
   }
@@ -37,14 +39,17 @@
     if (req instanceof HttpServletRequest) {
       HttpServletRequest httpServletRequest = (HttpServletRequest)req;
       String url = httpServletRequest.getRequestURI();
-      if (url.indexOf(";") > 0) {
+      for (int i = 0; i < IllegalUrl.length; i++) {
+        if (url.contains(IllegalUrl[i])) {
         if (resp instanceof HttpServletResponse) {
+            LOG.error("Invalid request URL detected. ");
           HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
           httpServletResponse.sendError(404);
         }
         return;
       }
     }
+    }
     try {
       super.service(req, resp);
     } catch (IllegalStateException e) {

The latest patch (CVE-2020-14750) adds authentication and removes the blocklist in favor of an allowlist. An allowlist is typically the superior approach.

--- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 13:13:28.000000000 -0600
+++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 12:11:01.000000000 -0600
@@ -2,6 +2,7 @@

 import com.bea.netuix.servlets.manager.SingleFileServlet;
 import java.io.IOException;
+import java.util.List;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
@@ -20,8 +21,6 @@

   private static final long serialVersionUID = 1L;

-  private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" };
-
   public static void initMBean() {
     MBeanUtilsInitializer.initMBeanAsynchronously();
   }
@@ -39,8 +38,9 @@
     if (req instanceof HttpServletRequest) {
       HttpServletRequest httpServletRequest = (HttpServletRequest)req;
       String url = httpServletRequest.getRequestURI();
-      for (int i = 0; i < IllegalUrl.length; i++) {
-        if (url.contains(IllegalUrl[i])) {
+      if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))
+        throw new ServletException("User not authenticated.");
+      if (!isValidUrl(url, httpServletRequest)) {
           if (resp instanceof HttpServletResponse) {
             LOG.error("Invalid request URL detected. ");
             HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
@@ -49,7 +49,6 @@
           return;
         }
       }
-    }
     try {
       super.service(req, resp);
     } catch (IllegalStateException e) {
@@ -60,4 +59,15 @@
         LOG.debug(e);
     }
   }
+
+  private boolean isValidUrl(String url, HttpServletRequest req) {
+    String consoleContextPath = ConsoleUtils.getConsoleContextPath();
+    List<String> portalList = ConsoleUtils.getConsolePortalList();
+    for (String portal : portalList) {
+      String tmp = "/" + consoleContextPath + portal;
+      if (url.equals(tmp))
+        return true;
+    }
+    return false;
+  }
 }

Guidance

The SANS ISC included the following in their post published October 29, 2020:

“…all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”

We echo that guidance in the strongest terms. Organizations running Oracle WebLogic Server should patch as quickly as possible. Those who are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well-advised to break that cycle in favor of patching as soon as they can. Organizations that are unable to patch immediately should consider the following recommendations as partial mitigations, with the understanding that no mitigation is as effective as patching:

• Ensure the admin portal is not exposed to the public internet; blocking access to the admin portal (TCP port 7001 by default) may act as a partial mitigation until CVE-2020-14882 can be patched.
  
• Review application logs for HTTP requests that include a double-encoded path traversal, such as %252E (case-insensitive), and the admin portal path console.portal in the request URI.
  
• Monitor network traffic for suspicious HTTP requests if you have the ability to do so.
  
• Monitor for any suspicious processes created by the application, such as cmd.exe or /bin/sh.
  

A Sigma rule and a Zeek rule are available for detecting basic exploitation of CVE-2020-14882.

References

• https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/
  
• https://isc.sans.edu/diary/rss/26734
  
• https://www.oracle.com/security-alerts/cpuoct2020.html