Attacker Value
High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-2883

Disclosure Date: April 15, 2020
CVE-2020-2883 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Add Assessment

3
Ratings
Common in enterpriseUnauthenticatedVulnerable in default configuration
Technical Analysis

Well, it’s bad when even Oracle decides to raise the alarm bells (wayback machine was down, so no permalink yet) about it.

They’ve detected active exploitation attempts against WebLogic servers.

T3 is Weblogic’s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.

It appears there’s PoC for it but I haven’t tested it yet. Since it’s yet-another deserialization vulnerability and there’s existing PoC code for similar RMI RCE, Oracle’s observations are likely correct.

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

This is now being reported as a bypass for the patch for CVE-2020-2555. The gadget chain is slightly modified, but it seems that exploitation results in unauthenticated RCE just as with CVE-2020-2555. This should certainly be patched.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
remote
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
Prerequisites
Unknown
Discovered By
Quynh Le of VNPT ISC
PoC Author
Likely: https://github.com/hktalent/CVE_2020_2546
Metasploit Module
exploit/multi/misc/weblogic_deserialize_badattr_extcomp
Reporter
Unknown

Vendors

  • Oracle Corporation

Products

  • WebLogic Server

Additional Info

Authenticated
Never
Exploitable
Always
Reliability
Unknown
Stability
Unknown
Available Mitigations
Moderate
Shelf Life
Unknown
Userbase/Installbase
Very Large
Patch Effectiveness
Unknown
Technical Analysis