Very High
CVE-2020-14882 — Unauthenticated RCE in Console component of Oracle WebLogic Server
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-14882 — Unauthenticated RCE in Console component of Oracle WebLogic Server
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Adjusting the attacker value and exploitability scores to reflect the data and assessment already provided by @lvarela-r7 in this topic.
https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/
https://twitter.com/jas502n/status/1321416053050667009
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
There’s a zero-day patch bypass out for this CVE, and active attacks are continuing against internet-facing WebLogic deployments. See the Rapid7 analysis tab for full guidance.
Edit September 19, 2024: Rapid7 IR has confirmed continued exploitation of this vulnerability.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- Oracle Corporation
Products
- WebLogic Server
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://documents.trendmicro.com/assets/pdf/Technical-Brief---Tracking-CVE-2021-26084-and-Other-Server-based-Vulnerability-Exploits-via-Trend-Micro-Cloud-One-and-Trend-Micro-Vision-One.pdf)
- Other: ABCBot Exploited in the Wild (https://blog.netlab.360.com/abcbot_an_evolving_botnet_cn/)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Update December 28, 2020: At least two different botnets are reported to have incorporated exploits for CVE-2020-14882—see analysis from Juniper Threat Labs and Tolisec. Threat activity will certainly continue well into the new year.
Update November 2, 2020: Oracle has released an update to address CVE-2020-14750, which Rapid7 researchers believe to be the patch bypass for this vulnerability, CVE-2020-14882. The analysis for both these patches is detailed later in this document.
Update November 1, 2020: There is at least one patch bypass for CVE-2020-14882 already being shared on the internet. Rapid7 researchers have also successfully tested a patch bypass of our own. A zero-day patch bypass means attackers are able to achieve pre-authentication remote code execution against WebLogic Server instances. At a minimum, defenders should disable console/console.portal
if at all possible and take immediate steps to identify suspicious activity or indicators of compromise in their environments.
Update October 30, 2020: A work-in-progress Metasploit module has been published.
Rapid7’s Labs team confirmed that a new Oracle WebLogic honeypot deployment began logging exploit attempts in under 24 hours of deployment. Attacks against our honeypots are not yet high-volume.
Description
On Tuesday, October 20, as part of its October 2020 Critical Patch Update (CPU), Oracle published an advisory on CVE-2020-14882, a critical vulnerability in the console component of WebLogic Server. The vulnerability is trivially exploitable; successful exploitation could allow an unauthenticated, remote attacker to completely take over a vulnerable WebLogic Server. CVE-2020-14882 carries a CVSSv3 base score of 9.8.
The SANS Internet Storm Center (ISC) confirmed that CVE-2020-14882 is being actively exploited in the wild as of October 29, 2020. Security researcher Jang has technical details and a proof-of-concept (PoC) publicly available here (post in Vietnamese).
Rapid7’s Labs team has data on vulnerable internet-exposed WebLogic servers here. We urge Oracle WebLogic Server customers to patch as soon as possible—see full guidance below.
Affected products
The following supported versions of WebLogic Server are vulnerable to CVE-2020-14882, per Oracle’s advisory:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 14.1.1.0.0
Rapid7 analysis
CVE-2020-14882 is trivially exploitable with a single request over HTTP. A proof-of-concept exploit has been widely circulated on Twitter, demonstrated on YouTube, and shared across security news sites. In general, WebLogic remote code execution vulnerabilities are frequent, high-value targets for attackers; another critical WebLogic vulnerability (CVE-2020-2555) recently made headlines for its inclusion in the U.S. National Security Agency’s list of vulnerabilities being actively exploited by Chinese state actors. Given the triviality of exploitation, we expect attacks leveraging CVE-2020-14882 to rise quickly as both advanced and commodity attackers add the exploit to their toolkits.
Authentication bypass patch
The original auth bypass (CVE-2020-14882) patch adds an IllegalUrl
blocklist that is trivially bypassed by using various forms of double encoding or simply changing the case of the input string.
--- unpatched/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 12:10:25.000000000 -0600 +++ patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 13:13:28.000000000 -0600 @@ -20,6 +20,8 @@ private static final long serialVersionUID = 1L; + private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" }; + public static void initMBean() { MBeanUtilsInitializer.initMBeanAsynchronously(); } @@ -37,14 +39,17 @@ if (req instanceof HttpServletRequest) { HttpServletRequest httpServletRequest = (HttpServletRequest)req; String url = httpServletRequest.getRequestURI(); - if (url.indexOf(";") > 0) { + for (int i = 0; i < IllegalUrl.length; i++) { + if (url.contains(IllegalUrl[i])) { if (resp instanceof HttpServletResponse) { + LOG.error("Invalid request URL detected. "); HttpServletResponse httpServletResponse = (HttpServletResponse)resp; httpServletResponse.sendError(404); } return; } } + } try { super.service(req, resp); } catch (IllegalStateException e) {
The latest patch (CVE-2020-14750) adds authentication and removes the blocklist in favor of an allowlist. An allowlist is typically the superior approach.
--- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 13:13:28.000000000 -0600 +++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 12:11:01.000000000 -0600 @@ -2,6 +2,7 @@ import com.bea.netuix.servlets.manager.SingleFileServlet; import java.io.IOException; +import java.util.List; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -20,8 +21,6 @@ private static final long serialVersionUID = 1L; - private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" }; - public static void initMBean() { MBeanUtilsInitializer.initMBeanAsynchronously(); } @@ -39,8 +38,9 @@ if (req instanceof HttpServletRequest) { HttpServletRequest httpServletRequest = (HttpServletRequest)req; String url = httpServletRequest.getRequestURI(); - for (int i = 0; i < IllegalUrl.length; i++) { - if (url.contains(IllegalUrl[i])) { + if (!ConsoleUtils.isUserAuthenticated(httpServletRequest)) + throw new ServletException("User not authenticated."); + if (!isValidUrl(url, httpServletRequest)) { if (resp instanceof HttpServletResponse) { LOG.error("Invalid request URL detected. "); HttpServletResponse httpServletResponse = (HttpServletResponse)resp; @@ -49,7 +49,6 @@ return; } } - } try { super.service(req, resp); } catch (IllegalStateException e) { @@ -60,4 +59,15 @@ LOG.debug(e); } } + + private boolean isValidUrl(String url, HttpServletRequest req) { + String consoleContextPath = ConsoleUtils.getConsoleContextPath(); + List<String> portalList = ConsoleUtils.getConsolePortalList(); + for (String portal : portalList) { + String tmp = "/" + consoleContextPath + portal; + if (url.equals(tmp)) + return true; + } + return false; + } }
Guidance
The SANS ISC included the following in their post published October 29, 2020:
“…all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.”
We echo that guidance in the strongest terms. Organizations running Oracle WebLogic Server should patch as quickly as possible. Those who are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well-advised to break that cycle in favor of patching as soon as they can. Organizations that are unable to patch immediately should consider the following recommendations as partial mitigations, with the understanding that no mitigation is as effective as patching:
- Ensure the admin portal is not exposed to the public internet; blocking access to the admin portal (TCP port 7001 by default) may act as a partial mitigation until CVE-2020-14882 can be patched.
- Review application logs for HTTP requests that include a double-encoded path traversal, such as
%252E
(case-insensitive), and the admin portal pathconsole.portal
in the request URI.
- Monitor network traffic for suspicious HTTP requests if you have the ability to do so.
- Monitor for any suspicious processes created by the application, such as
cmd.exe
or/bin/sh
.
A Sigma rule and a Zeek rule are available for detecting basic exploitation of CVE-2020-14882.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: