LoginSignup
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@shimizukawasaki(清水 川崎)

[漏洞通告]CVE-2020-2551/Weblogic IIOP协议远程代码执行

Last updated at Posted at 2020-01-16

漏洞描述

最近Oracle发布了新一轮补丁,其中重点了修复多个高危安全漏洞.其中较为严重之一的则是CVE-2020-2551.攻击者可以在未授权的情况下通过IIOP协议对存在漏洞的WebLogic进行远程代码执行的攻击.成功利用该漏洞的攻击者可以直接控制服务器,危害性极高。

CVE编号

CVE-2020-2551

漏洞威胁等级

高危

影响范围

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0

简单分析

IIOP协议第一次听说源自2019年blackhat在欧洲地区的议题An Far Sides Of Java Remote Protocols.

image.png

后来在国内由知道创宇404实验室的Longofopaper上进行披露

image.png

根据提示,这个漏洞是由JNDI的方式进行注入完成攻击.在完成攻击前需要找到weblogic相应的工厂类才能完成攻击.由于该漏洞较为敏感,过多细节不再透露.下图为攻击演示

image.png

修复建议

  • 1.关闭IIOP协议
    登录控制台,以此点击环境——服务器——你的Server(例如AdminServer (管理))——协议——IIOP协议框反选
    image.png

  • 2.由于是JNDI注入,建议升级JDK各个大版本的最新版本号

  • 3.打上相关补丁
    补丁文件目前只发布了12.2.1.4.0版本的,本月末Oracle将发布后续补丁
    image.png

时间轴

[0] 2020/01/15 Oracle/NVD发布该漏洞
[1] 2020/01/16 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

鸣谢

感谢大晚上一起研究的以下小伙伴(排名不分先后)
Qianxin Ntears、
Qianxin LuFei
AlibabaCloud pyn3rd

Reference

https://paper.seebug.org/1105/#weblogicrmi-iiop
https://nvd.nist.gov/vuln/detail/CVE-2020-2551
https://www.oracle.com/security-alerts/cpujan2020.html

1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?