CVE-2020-2883:
Remote Code Execution vulnerability in Oracle WebLogic Server via deserialization attack
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 15, 2020
- CISA KEV Date:Jan 7, 2025
- Industries Affected:20
1728 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Remote Code Execution vulnerability in Oracle WebLogic Server via deserialization attack
Overview
This vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The issue exists in the Core component and is exploitable through the IIOP (Internet Inter-ORB Protocol) and T3 protocols. The vulnerability has a CVSS v3.0 Base Score of 9.8 (Critical), reflecting its high impact and ease of exploitation. The root cause is improper validation of serialized data received via IIOP or T3 protocols, allowing attackers to send malicious serialized objects that can trigger code execution when deserialized by the server. No authentication is required to exploit this vulnerability, making it particularly dangerous for internet-facing WebLogic servers. Exploitation can lead to complete compromise of the WebLogic Server, potentially affecting the confidentiality, integrity, and availability of the application and its data.
Remediation
- 1. Apply the security patch from Oracle's April 2020 Critical Patch Update (CPU).
- 2. If immediate patching is not possible, implement these mitigations:
- Block T3 and IIOP protocols at the network boundary if they're not required.
- Restrict access to the WebLogic Server admin console and T3/IIOP channels to trusted networks only.
- Configure WebLogic Server to use SSL/TLS for all communications.
- Implement a Web Application Firewall (WAF) with rules to detect and block serialization attacks.
- 3. Monitor for exploitation attempts by reviewing server logs for suspicious T3 or IIOP traffic.
- 4. Perform a thorough security assessment of affected systems to ensure they haven't already been compromised.
- 5. Consider implementing a defense-in-depth approach by running WebLogic Server in a containerized or virtualized environment with limited privileges.
References
- 1. Oracle Critical Patch Update Advisory - April 2020:
- https://www.oracle.com/security-alerts/cpuapr2020.html
- 2. Zero Day Initiative Advisory ZDI-20-504:
- https://www.zerodayinitiative.com/advisories/ZDI-20-504/
- 3. Zero Day Initiative Advisory ZDI-20-570:
- https://www.zerodayinitiative.com/advisories/ZDI-20-570/
- 4. Packet Storm Security - WebLogic Server Deserialization Remote Code Execution:
- http://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html
- 5. CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 14, 2020
- CISA KEV Date:Jan 7, 2025
- Days Early:1728 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
