CVE-2020-2551:Critical unauthenticated remote code execution vulnerability in Oracle WebLogic Server via IIOP protocol.

splash
Back

Description Preview

CVE-2020-2551 is a critical vulnerability in Oracle WebLogic Server that allows unauthenticated remote attackers with network access to compromise the server via the IIOP (Internet Inter-ORB Protocol) interface. This vulnerability affects multiple versions of WebLogic Server and can result in complete takeover of the affected system. The vulnerability has a CVSS v3.0 base score of 9.8 (Critical), indicating its high severity and potential impact on confidentiality, integrity, and availability.

Overview

This vulnerability exists in the WLS Core Components of Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The issue is related to the IIOP protocol implementation, which allows an unauthenticated attacker to execute arbitrary code on the affected server. IIOP is a protocol that enables communication between distributed objects in different applications, and it's commonly used in enterprise Java environments. The vulnerability is particularly dangerous because it:

  1. Requires no authentication
  2. Can be exploited over the network
  3. Has low complexity (easy to exploit)
  4. Requires no user interaction
  5. Can lead to complete system compromise

When successfully exploited, an attacker can gain full control over the WebLogic Server, potentially accessing sensitive data, modifying system configurations, or using the compromised server as a foothold for further attacks within the network.

Remediation

To address this vulnerability, organizations should take the following actions:

  1. Apply the security patches provided in Oracle's January 2020 Critical Patch Update (CPU):

    • Update to the latest patched versions of WebLogic Server for your respective version
    • Follow Oracle's official patching instructions for your specific environment

  2. If patching is not immediately possible, implement these mitigations:

    • Disable the IIOP protocol if not required for your applications
    • Block access to the IIOP ports (default: 7001/TCP) at network boundaries
    • Implement network segmentation to restrict access to WebLogic Server instances
    • Deploy web application firewalls (WAFs) configured to detect and block exploitation attempts

  3. After patching:

    • Conduct a thorough security review to identify any signs of compromise
    • Restart all WebLogic Server instances to ensure patches are fully applied
    • Test applications to ensure functionality is maintained after patching

  4. Long-term security measures:

    • Implement the principle of least privilege for all WebLogic Server deployments
    • Regularly review and update security configurations
    • Monitor for unusual network traffic or system behavior

References

  1. Oracle Critical Patch Update Advisory - January 2020: https://www.oracle.com/security-alerts/cpujan2020.html

  2. CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Base Score: 9.8)

  3. Affected Oracle WebLogic Server versions:

    • 10.3.6.0.0
    • 12.1.3.0.0
    • 12.2.1.3.0
    • 12.2.1.4.0

  4. Component: WLS Core Components (IIOP protocol implementation)

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date
Oct 29, 2020
CISA KEV Date
Nov 16, 2023
1113days early
Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Transportation & Warehousing
    Transportation & Warehousing
  3. Health Care & Social Assistance
    Health Care & Social Assistance
  4. Public Administration
    Public Administration
  5. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Management of Companies & Enterprises
    Management of Companies & Enterprises
  9. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  10. Utilities
    Utilities
  11. Retail Trade
    Retail Trade
  12. Wholesale Trade
    Wholesale Trade
  13. Accommodation & Food Services
    Accommodation & Food Services
  14. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  15. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  16. Construction
    Construction
  17. Information
    Information
  18. Mining
    Mining
  19. Other Services (except Public Administration)
    Other Services (except Public Administration)
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database