Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883) - Nessus

Critical   Plugin ID: 138074

This page contains detailed information about the Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 138074
Name: Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883)
Filename: oracle_weblogic_server_cve_2020_2883.nbin
Vulnerability Published: 2020-04-20
This Plugin Published: 2020-07-02
Last Modification Time: 2022-05-03
Plugin Version: 1.19
Plugin Type: remote
Plugin Family: Web Servers
Dependencies: t3_detect.nasl, weblogic_detect.nasl

Vulnerability Information

Severity: Critical
Vulnerability Published: 2020-04-20
Patch Published: 2020-04-20
CVE [?]: CVE-2020-2883
CPE [?]: cpe:/a:oracle:fusion_middleware, cpe:/a:oracle:weblogic_server

Synopsis

An application server installed on the remote host is affected by a remote code execution vulnerability.

Description

The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the WLS Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated remote attacker can exploit this, via a crafted serialized Java object, to execute arbitrary commands.

Solution

Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory.

Public Exploits

Target Network Port(s): 7001
Target Asset(s): Services/t3
Exploit Available: True (Metasploit Framework, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883) vulnerability:

  1. Metasploit: exploit/multi/misc/weblogic_deserialize_badattr_extcomp
    [WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp]
  2. GitHub: https://github.com/0xn0ne/weblogicScanner
    [CVE-2020-2883]
  3. GitHub: https://github.com/DaBoQuan/CVE-2020-14645
    [CVE-2020-2883]
  4. GitHub: https://github.com/FancyDoesSecurity/CVE-2020-2883
    [CVE-2020-2883]
  5. GitHub: https://github.com/FoolMitAh/WeblogicScan
    [CVE-2020-2883]
  6. GitHub: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
    [CVE-2020-2883]
  7. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2020-2883]
  8. GitHub: https://github.com/Qynklee/POC_CVE-2020-2883
    [CVE-2020-2883: POC for CVE-2020-2883]
  9. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2020-2883]
  10. GitHub: https://github.com/amcai/myscan
    [CVE-2020-2883]
  11. GitHub: https://github.com/koala2099/GitHub-Chinese-Top-Charts
    [CVE-2020-2883]
  12. GitHub: https://github.com/koutto/jok3r-pocs
    [CVE-2020-2883]
  13. GitHub: https://github.com/neilzhang1/Chinese-Charts
    [CVE-2020-2883]
  14. GitHub: https://github.com/pinkieli/GitHub-Chinese-Top-Charts
    [CVE-2020-2883]
  15. GitHub: https://github.com/qingyuanfeiniao/Chinese-Top-Charts
    [CVE-2020-2883]
  16. GitHub: https://github.com/safe6Sec/wlsEnv
    [CVE-2020-2883]
  17. GitHub: https://github.com/veo/vscan
    [CVE-2020-2883]
  18. GitHub: https://github.com/zhzyker/vulmap
    [CVE-2020-2883]
  19. GitHub: https://github.com/Al1ex/CVE-2020-2883
    [CVE-2020-2883]
  20. GitHub: https://github.com/hktalent/CVE_2020_2546
    [CVE-2020-2883: CVE-2020-2546,CVE-2020-2915 CVE-2020-2801 CVE-2020-2798 CVE-2020-2883 ...]
  21. GitHub: https://github.com/MagicZer0/Weblogic_CVE-2020-2883_POC
    [CVE-2020-2883: Proof of concept for Weblogic CVE-2020-2883]
  22. GitHub: https://github.com/Y4er/CVE-2020-2883
    [CVE-2020-2883: Weblogic coherence.jar RCE]
  23. GitHub: https://github.com/Y4er/WebLogic-Shiro-shell
    [CVE-2020-2883: WebLogic利用CVE-2020-2883打Shiro rememberMe反序列化漏洞,一键注册蚁剑filter内存shell]
  24. GitHub: https://github.com/zhzyker/exphub
    [CVE-2020-2883: Exphub[漏洞利用脚本库] ...]
  25. GitHub: https://github.com/zzwlpx/weblogicPoc
    [CVE-2020-2883: Weblogic Vuln POC EXP cve-2020-2551 cve-2020-2555 cve-2020-2883 ,。。。]
  26. GitHub: https://github.com/ZZZWD/CVE-2020-2883
    [CVE-2020-2883: 适配12.2.1.3和12.2.1.4版本]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2020-2883
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.2 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.2 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Base Score:9.8 (Critical)
Impact Subscore:5.9
Exploitability Subscore:3.9
CVSS Temporal Score:9.1 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.1 (Critical)

Go back to menu.

Plugin Source

The oracle_weblogic_server_cve_2020_2883.nbin Nessus plugin is distributed in a propriatory binary format and its source code is protected. This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/oracle_weblogic_server_cve_2020_2883.nbin
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\oracle_weblogic_server_cve_2020_2883.nbin
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/oracle_weblogic_server_cve_2020_2883.nbin

Go back to menu.

How to Run

Here is how to run the Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Web Servers plugin family.
  6. On the right side table select Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883) plugin ID 138074.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl oracle_weblogic_server_cve_2020_2883.nbin -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a oracle_weblogic_server_cve_2020_2883.nbin -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - oracle_weblogic_server_cve_2020_2883.nbin -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state oracle_weblogic_server_cve_2020_2883.nbin -t <IP/HOST>

Go back to menu.

References

See also: Similar and related Nessus plugins:
  • 135680 - Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)
  • 64708 - Oracle Application Express (Apex) CVE-2009-0981
  • 64714 - Oracle Application Express (Apex) Unspecified Issues (pre 2.2.1)
  • 57619 - Oracle Application Server Multiple Vulnerabilities
  • 124156 - Oracle Fusion Middleware Oracle HTTP Server (Apr 2019 CPU)
  • 159947 - Oracle HTTP Server (Apr 2022 CPU)
  • 81003 - Oracle Fusion Middleware Security Service Information Disclosure (January 2015 CPU) (BEAST)
  • 81002 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU)
  • 106299 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
  • 156944 - Oracle HTTP Server (Jan 2022 CPU)
  • 69301 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities
  • 92542 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (July 2016 CPU)
  • 126781 - Oracle Fusion Middleware Oracle HTTP Server (Jul 2019 CPU)
  • 17731 - Oracle HTTP Server (October 2006 CPU)
  • 86569 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU)
  • 124090 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2018 CPU)
  • 142212 - Oracle Fusion Middleware Oracle HTTP Server (Oct 2020 CPU)
  • 154340 - Oracle HTTP Server (Oct 2021 CPU)
  • 138509 - Oracle WebLogic IIOP JNDI Lookup RCE Direct Check
  • 124462 - Oracle WebLogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.3 Java Object Deserialization RCE (CVE-2018-3191)
  • 125265 - Oracle WebLogic Server Java Object Deserialization RCE (CVE-2018-3245)
  • 142594 - Oracle WebLogic Server RCE (CVE-2020-14882)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file oracle_weblogic_server_cve_2020_2883.nbin version 1.19. For more plugins, visit the Nessus Plugin Library.

Go back to menu.