Attacker Value
High
0

CVE-2020-2883

Disclosure Date: April 15, 2020

Exploitability

(2 users assessed) High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Add Assessment

3
Ratings
Technical Analysis

Well, it’s bad when even Oracle decides to raise the alarm bells (wayback machine was down, so no permalink yet) about it.

They’ve detected active exploitation attempts against WebLogic servers.

T3 is Weblogic’s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.

It appears there’s PoC for it but I haven’t tested it yet. Since it’s yet-another deserialization vulnerability and there’s existing PoC code for similar RMI RCE, Oracle’s observations are likely correct.

2
Ratings
Technical Analysis

This is now being reported as a bypass for the patch for CVE-2020-2555. The gadget chain is slightly modified, but it seems that exploitation results in unauthenticated RCE just as with CVE-2020-2555. This should certainly be patched.

General Information

Additional Info

Technical Analysis