Vulnerabilities > CVE-2017-3248 - Unspecified vulnerability in Oracle Weblogic Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Exploit-Db
description | Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution. CVE-2017-3248. Webapps exploit for Multiple platform |
file | exploits/multiple/webapps/44998.py |
id | EDB-ID:44998 |
last seen | 2018-07-10 |
modified | 2018-07-07 |
platform | multiple |
port | |
published | 2018-07-07 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/44998/ |
title | Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution |
type | webapps |
Metasploit
description | An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts. |
id | MSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_UNICASTREF |
last seen | 2020-06-10 |
modified | 2019-04-01 |
published | 2018-12-16 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3248 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb |
title | Oracle Weblogic Server Deserialization RCE - RMI UnicastRef |
Nessus
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_JAN_2017.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server. last seen 2020-03-18 modified 2017-01-18 plugin id 96610 published 2017-01-18 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96610 title Oracle WebLogic Server Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(96610); script_version("1.15"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13"); script_cve_id("CVE-2017-3248"); script_bugtraq_id(95465); script_xref(name:"TRA", value:"TRA-2017-07"); script_xref(name:"ZDI", value:"ZDI-17-055"); script_name(english:"Oracle WebLogic Server Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server."); # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?89a8e429"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-07"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-055/"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2017 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3248"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('install_func.inc'); include('spad_log_func.inc'); app_name = 'Oracle WebLogic Server'; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install['Oracle Home']; subdir = install['path']; version = install['version']; fix = NULL; fix_ver = NULL; # individual security patches if (version =~ "^10\.3\.6\.") { fix_ver = '10.3.6.0.170117'; # SU patch IDs found on: # https://support.oracle.com/epmos/faces/ui/patch/PatchDetail.jspx?_afrLoop=383735510156080&parent=DOCUMENT&patchId=24667634 fix = make_list('XIDD', 'RVBS', 'JWEB'); } else if (version =~ "^12\.1\.3\.") { fix_ver = '12.1.3.0.170117'; fix = make_list('24904852'); } else if (version =~ "^12\.2\.1\.0($|[^0-9])") { fix_ver = '12.2.1.0.170117'; fix = make_list('24904865'); } else if (version =~ "^12\.2\.1\.1($|[^0-9])") { fix_ver = '12.2.1.1.170117'; fix = make_list('24907328'); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); spad_log(message:'checking fix [' + obj_rep(fix) + ']'); PATCHED=FALSE; # Iterate over the list of patches and check the install for the patchID foreach id (fix) { spad_log(message:'Checking fix id: [' + id +']'); if (install[id]) { PATCHED=TRUE; break; } } VULN=FALSE; if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) VULN=TRUE; if (PATCHED || !VULN) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); os = get_kb_item('Host/OS'); if ('windows' >< tolower(os)) { port = get_kb_item('SMB/transport'); if (!port) port = 445; } else port = 0; report = '\n Oracle Home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Fixes : ' + join(sep:', ', fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
NASL family Web Servers NASL id WEBLOGIC_2017_3248.NASL description The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server. last seen 2020-06-01 modified 2020-06-02 plugin id 96803 published 2017-01-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96803 title Oracle WebLogic Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96803); script_version("1.11"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-3248"); script_bugtraq_id(95465); script_xref(name:"TRA", value:"TRA-2017-07"); script_xref(name:"ZDI", value:"ZDI-17-055"); script_name(english:"Oracle WebLogic Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)"); script_summary(english:"Sends a Java object to trigger an RMI Connect-Back."); script_set_attribute(attribute:"synopsis", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server."); # https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c11efb84"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-07"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-055/"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3248"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("weblogic_detect.nasl", "t3_detect.nasl"); script_require_ports("Services/t3", 7001); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("t3.inc"); appname = "Oracle WebLogic Server"; port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE); # Try to talk T3 to the server sock = open_sock_tcp(port); if (!sock) audit(AUDIT_SOCK_FAIL, port); version = t3_connect(sock:sock, port:port); # send ident so we can move on to login t3_send_ident_request(sock:sock, port:port); # send our "login request" auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'; # this is a java.rmi.registry.Registry. Successful deserialization of this object # could result in a connection to an external RMI registry. This object has an # IP/port hardcoded to 127.0.0.1 and 0 so that it will never connect out. auth_request += '\xac\xed\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x1a\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x72\x65\x67\x69\x73\x74\x72\x79\x2e\x52\x65\x67\x69\x73\x74\x72\x79\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x2d\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00\x78\x72\x00\x1c\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74\xd3\x61\xb4\x91\x0c\x61\x33\x1e\x03\x00\x00\x78\x70\x77\x32\x00\x0a\x55\x6e\x69\x63\x61\x73\x74\x52\x65\x66\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x00\x00\x00\x00\x00\x00\x00\x6e\xd6\xd9\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78'; auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff'; send_t3(sock:sock, data:auth_request); # read in the response to our bad login request return_val = recv_t3(sock:sock); close(sock); if (isnull(return_val) || preg(string:return_val, pattern:'\\$Proxy[0-9]+ cannot be cast to weblogic') == FALSE) { audit(AUDIT_INST_VER_NOT_VULN, appname, version); } report = '\nNessus was able to exploit a Java deserialization vulnerability by' + '\nsending a crafted Java object.' + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
Packetstorm
data source https://packetstormsecurity.com/files/download/152357/weblogic_deserialize_unicastref.rb.txt id PACKETSTORM:152357 last seen 2019-04-05 published 2019-04-02 reporter Jacob Baines source https://packetstormsecurity.com/files/152357/Oracle-Weblogic-Server-Deserialization-RMI-UnicastRef-Remote-Code-Execution.html title Oracle Weblogic Server Deserialization RMI UnicastRef Remote Code Execution data source https://packetstormsecurity.com/files/download/148460/oraclewl12120-exec.txt id PACKETSTORM:148460 last seen 2018-07-11 published 2018-07-09 reporter bobsecq source https://packetstormsecurity.com/files/148460/Oracle-WebLogic-12.1.2.0-Remote-Code-Execution.html title Oracle WebLogic 12.1.2.0 Remote Code Execution
Seebug
bulletinFamily | exploit |
description | ### 漏洞描述 黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP 请求,就可以拿到目标服务器的权限,危害巨大。由于漏洞较新,目前仍然存在很多主机尚未更新相关补丁。预计在此次突发事件之后,很可能出现攻击事件数量激增,大量新主机被攻陷的情况。 攻击者能够同时攻击Windows及Linux主机,并在目标中长期潜伏。由于Oracle WebLogic的使用面较为广泛,攻击面涉及各个行业。此次攻击中使用的木马为典型的比特币挖矿木马。但该漏洞可被黑客用于其它目的攻击。 ### 影响版本 * Oracle Weblogic Server 10.3.6.0 * Oracle Weblogic Server 12.2.1.2 * Oracle Weblogic Server 12.2.1.1 * Oracle Weblogic Server 12.1.3.0 |
id | SSV:97009 |
last seen | 2018-06-26 |
modified | 2017-12-22 |
published | 2017-12-22 |
reporter | My Seebug |
source | https://www.seebug.org/vuldb/ssvid-97009 |
title | Oracle WebLogic wls-wsat RCE(CVE-2017-10271) |
References
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
- http://www.securityfocus.com/bid/95465
- http://www.securitytracker.com/id/1037632
- https://www.tenable.com/security/research/tra-2017-07
- https://www.exploit-db.com/exploits/44998/
- http://packetstormsecurity.com/files/152357/Oracle-Weblogic-Server-Deserialization-RMI-UnicastRef-Remote-Code-Execution.html