High
CVE-2020-2555
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-2555
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Ratings
Technical Analysis
Since this got a little more attention later in 2020, it’s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we’ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., CVE-2020-14882 and CVE-2020-14750) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
The vulnerability exists in the LimitFilter
class’s toString()
method within the Coherence library, a library that exists within WebLogic installations by default.
public String toString() { StringBuilder sb = new StringBuilder("LimitFilter: ("); sb.append(this.m_filter) .append(" [pageSize=") .append(this.m_cPageSize) .append(", pageNum=") .append(this.m_nPage); if (this.m_comparator instanceof ValueExtractor) { ValueExtractor extractor = (ValueExtractor)this.m_comparator; sb.append(", top=") .append(extractor.extract(this.m_oAnchorTop)) .append(", bottom=") .append(extractor.extract(this.m_oAnchorBottom)); } else if (this.m_comparator != null) { sb.append(", comparator=") .append(this.m_comparator); } sb.append("])"); return sb.toString(); }
As originally noted in the ZDI blog post, all of the calls to extract()
were removed from the aforementioned toString()
method in the fix. The removal was due to having the ability to leverage the ReflectionExtractor
class’s extract()
method to execute arbitrary code via method.invoke()
.
public E extract(T oTarget) { if (oTarget == null) return null; Class<?> clz = oTarget.getClass(); try { Method method = this.m_methodPrev; if (method == null || method.getDeclaringClass() != clz) this.m_methodPrev = method = ClassHelper.findMethod(clz, getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false); return (E)method.invoke(oTarget, this.m_aoParam); } catch (NullPointerException e) { throw new RuntimeException(suggestExtractFailureCause(clz)); } catch (Exception e) { throw ensureRuntimeException(e, clz .getName() + this + '(' + oTarget + ')'); } }
The prerequisite for being able to leverage extract()
to execute code is to first trigger the toString()
method from the LimitFilter
class. The BadAttributeValueExpException
class within the JRE meets the prereq, as can be seen in its readObject()
method:
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { ObjectInputStream.GetField gf = ois.readFields(); Object valObj = gf.get("val", null); if (valObj == null) { val = null; } else if (valObj instanceof String) { val= valObj; } else if (System.getSecurityManager() == null || valObj instanceof Long || valObj instanceof Integer || valObj instanceof Float || valObj instanceof Double || valObj instanceof Byte || valObj instanceof Short || valObj instanceof Boolean) { val = valObj.toString(); ... }
Provided that the server does not have a Security Manager, sending a serialized BadAttributeValueExpException
object to a WebLogic server will result in the toString()
method being triggered. As of now, Weblogic installations do not come with a Security Manager by default.
I would rate this vulnerability as quite high, since successful exploitation does not require authentication, and the application accepts the crafted object without any sort of filtering. This is an important one to patch.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- oracle
Products
- access manager 11.1.2.3.0,
- coherence 12.1.3.0.0,
- coherence 12.2.1.3.0,
- coherence 12.2.1.4.0,
- coherence 3.7.1.0,
- commerce platform,
- commerce platform 11.0.0,
- commerce platform 11.1.0,
- commerce platform 11.2.0,
- communications diameter signaling router,
- healthcare data repository 7.0.1,
- rapid planning 12.1,
- rapid planning 12.2,
- retail assortment planning 15.0,
- retail assortment planning 16.0,
- utilities framework,
- utilities framework 4.2.0.2.0,
- utilities framework 4.2.0.3.0,
- utilities framework 4.4.0.0.0,
- utilities framework 4.4.0.2.0,
- webcenter portal 12.2.1.3.0,
- webcenter portal 12.2.1.4.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: