High
CVE-2020-2883
Add Reference
Description
URL
Type
CVE-2020-2883
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Ratings
Technical Analysis
Well, it’s bad when even Oracle decides to raise the alarm bells (wayback machine was down, so no permalink yet) about it.
They’ve detected active exploitation attempts against WebLogic servers.
T3 is Weblogic’s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.
It appears there’s PoC for it but I haven’t tested it yet. Since it’s yet-another deserialization vulnerability and there’s existing PoC code for similar RMI RCE, Oracle’s observations are likely correct.
Ratings
-
Attacker ValueHigh
-
ExploitabilityHigh
Technical Analysis
This is now being reported as a bypass for the patch for CVE-2020-2555. The gadget chain is slightly modified, but it seems that exploitation results in unauthenticated RCE just as with CVE-2020-2555. This should certainly be patched.
CVSS V3 Severity and Metrics
General Information
Vendors
- Oracle Corporation
Products
- WebLogic Server
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).