High
CVE-2020-2555
CVE-2020-2555
Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Technical Analysis
Since this got a little more attention later in 2020, it’s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we’ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., CVE-2020-14882 and CVE-2020-14750) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.
Technical Analysis
The vulnerability exists in the LimitFilter class’s toString() method within the Coherence library, a library that exists within WebLogic installations by default.
public String toString() { StringBuilder sb = new StringBuilder("LimitFilter: ("); sb.append(this.m_filter) .append(" [pageSize=") .append(this.m_cPageSize) .append(", pageNum=") .append(this.m_nPage); if (this.m_comparator instanceof ValueExtractor) { ValueExtractor extractor = (ValueExtractor)this.m_comparator; sb.append(", top=") .append(extractor.extract(this.m_oAnchorTop)) .append(", bottom=") .append(extractor.extract(this.m_oAnchorBottom)); } else if (this.m_comparator != null) { sb.append(", comparator=") .append(this.m_comparator); } sb.append("])"); return sb.toString(); }
As originally noted in the ZDI blog post, all of the calls to extract() were removed from the aforementioned toString() method in the fix. The removal was due to having the ability to leverage the ReflectionExtractor class’s extract() method to execute arbitrary code via method.invoke().
public E extract(T oTarget) { if (oTarget == null) return null; Class<?> clz = oTarget.getClass(); try { Method method = this.m_methodPrev; if (method == null || method.getDeclaringClass() != clz) this.m_methodPrev = method = ClassHelper.findMethod(clz, getMethodName(), ClassHelper.getClassArray(this.m_aoParam), false); return (E)method.invoke(oTarget, this.m_aoParam); } catch (NullPointerException e) { throw new RuntimeException(suggestExtractFailureCause(clz)); } catch (Exception e) { throw ensureRuntimeException(e, clz .getName() + this + '(' + oTarget + ')'); } }
The prerequisite for being able to leverage extract() to execute code is to first trigger the toString() method from the LimitFilter class. The BadAttributeValueExpException class within the JRE meets the prereq, as can be seen in its readObject() method:
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { ObjectInputStream.GetField gf = ois.readFields(); Object valObj = gf.get("val", null); if (valObj == null) { val = null; } else if (valObj instanceof String) { val= valObj; } else if (System.getSecurityManager() == null || valObj instanceof Long || valObj instanceof Integer || valObj instanceof Float || valObj instanceof Double || valObj instanceof Byte || valObj instanceof Short || valObj instanceof Boolean) { val = valObj.toString(); ... }
Provided that the server does not have a Security Manager, sending a serialized BadAttributeValueExpException object to a WebLogic server will result in the toString() method being triggered. As of now, Weblogic installations do not come with a Security Manager by default.
I would rate this vulnerability as quite high, since successful exploitation does not require authentication, and the application accepts the crafted object without any sort of filtering. This is an important one to patch.
Technical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVSS V3 Severity and Metrics
General Information
Vendors
- oracle
Products
- coherence 12.1.3.0.0,
- coherence 12.2.1.3.0,
- coherence 12.2.1.4.0,
- coherence 3.7.1.0,
- commerce platform,
- commerce platform 11.0.0,
- commerce platform 11.1.0,
- commerce platform 11.2.0,
- communications diameter signaling router,
- healthcare data repository 7.0.1,
- rapid planning 12.1,
- rapid planning 12.2,
- retail assortment planning 15.0,
- retail assortment planning 16.0,
- utilities framework,
- utilities framework 4.2.0.2.0,
- utilities framework 4.2.0.3.0,
- utilities framework 4.4.0.0.0,
- utilities framework 4.4.0.2.0,
- webcenter portal 12.2.1.3.0,
- webcenter portal 12.2.1.4.0
Metasploit Modules
References
Miscellaneous
