Vulnerabilities > CVE-2018-2893 - Unspecified vulnerability in Oracle Weblogic Server

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

oracle

critical

nessus

NVD

Published: 2018-07-18

Updated: 2019-10-03

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Weblogic Server 12.1.3.0.0 Oracle Weblogic Server 12.2.1.2.0 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.2.1.3	4

Nessus

NASL family	Web Servers
NASL id	WEBLOGIC_CVE_2018_2893.NASL
description	The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
last seen	2020-06-01
modified	2020-06-02
plugin id	111665
published	2018-08-13
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111665
title	Oracle WebLogic Server Deserialization RCE (CVE-2018-2893)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111665); script_version("1.6"); script_cvs_date("Date: 2019/04/05 23:25:09"); script_cve_id("CVE-2018-2893"); script_bugtraq_id(104763); script_name(english:"Oracle WebLogic Server Deserialization RCE (CVE-2018-2893)"); script_summary(english:"Sends a Java remote object to trigger the exploit."); script_set_attribute(attribute:"synopsis", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server."); # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723"); script_set_attribute(attribute:"see_also", value:"https://github.com/anbai-inc/CVE-2018-2893"); script_set_attribute(attribute:"see_also", value:"https://github.com/Ryaninf/CVE-2018-2893"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2018 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2893"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_dependencies("weblogic_detect.nasl","t3_detect.nasl"); script_require_ports("Services/t3", 7001); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("t3.inc"); include('dump.inc'); appname = "Oracle WebLogic Server"; port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE); # Try to talk T3 to the server sock = open_sock_tcp(port); if (!sock) audit(AUDIT_SOCK_FAIL, port); # T3 handshake version = t3_connect(sock:sock, port:port); # Only 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are affected # i.e., 12.2.1.1 is not affected? if (version !~ "^10\.3\.6\." && version !~ "^12\.1\.3\." && version !~ "^12\.2\.1\.2($\|[^0-9])" && version !~ "^12\.2\.1\.3($\|[^0-9])") { audit(AUDIT_INST_VER_NOT_VULN, appname, version); } # Send ident so we can move on to login t3_send_ident_request(sock:sock, port:port); # Send our "login request" auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'; # Object to be de-serialized: auth_request += '\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63' + '\x2e\x6a\x6d\x73\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x53\x74\x72\x65' + '\x61\x6d\x4d\x65\x73\x73\x61\x67\x65\x49\x6d\x70\x6c\x6b\x88\xde' + '\x4d\x93\xcb\xd4\x5d\x0c\x00\x00\x78\x72\x00\x1f\x77\x65\x62\x6c' + '\x6f\x67\x69\x63\x2e\x6a\x6d\x73\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e' + '\x4d\x65\x73\x73\x61\x67\x65\x49\x6d\x70\x6c\x69\x12\x61\x61\xd0' + '\x4d\xf1\x42\x0c\x00\x00\x78\x70\x7a\x00\x00\x01\x25\x1e\x20\x00' + '\x00\x00\x00\x00\x00\x01\x00\x00\x01\x18\xac\xed\x00\x05\x73\x7d' + '\x00\x00\x00\x01\x00\x1a\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x72' + '\x65\x67\x69\x73\x74\x72\x79\x2e\x52\x65\x67\x69\x73\x74\x72\x79' + '\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65' + '\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc' + '\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61' + '\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f' + '\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65' + '\x72\x3b\x78\x70\x73\x72\x00\x2d\x6a\x61\x76\x61\x2e\x72\x6d\x69' + '\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62' + '\x6a\x65\x63\x74\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61' + '\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00' + '\x78\x72\x00\x1c\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72' + '\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74' + '\xd3\x61\xb4\x91\x0c\x61\x33\x1e\x03\x00\x00\x78\x70\x77\x32\x00' + '\x0a\x55\x6e\x69\x63\x61\x73\x74\x52\x65\x66\x00\x09\x31\x32\x37' + '\x2e\x30\x2e\x30\x2e\x31\x00\x00\xf1\x44\x00\x00\x00\x00\x46\x91' + '\x1f\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x78'; auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2e\x61\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x65\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2e\x55\x73\x65\x72\x49\x6e\x66\x6f\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff'; send_t3(sock:sock, data:auth_request); ret = recv_t3(sock:sock); close(sock); if (isnull(ret) \|\| 'StreamMessageImpl cannot be cast to weblogic' >!< ret) { audit(AUDIT_INST_VER_NOT_VULN, appname, version); } report = '\nNessus was able to exploit a Java deserialization vulnerability by' + '\nsending a crafted Java object and trigger an error message.' + '\n\nError message dump:\n\n' + hexdump(ddata:ret); security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL
description	The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	111209
published	2018-07-20
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111209
title	Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111209); script_version("1.15"); script_cvs_date("Date: 2019/04/30 14:00:04"); script_cve_id( "CVE-2018-1275", "CVE-2018-2893", "CVE-2018-2894", "CVE-2018-2933", "CVE-2018-2935", "CVE-2018-2987", "CVE-2018-2998", "CVE-2018-7489" ); script_bugtraq_id( 103771, 103203, 104817 ); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number." ); # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2018 Oracle Critical Patch Update advisory. Refer to Oracle for any additional patch instructions or mitigation options."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1275"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Oracle WebLogic Server WLS File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("obj.inc"); include("spad_log_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; spad_log(message:"checking version [" + version + "]"); # individual security patches if (version =~ "^12\.2\.1\.3($\|[^0-9])") { fix_ver = "12.2.1.3.180717"; fix = make_list("27912627"); } else if (version =~ "^12\.2\.1\.2($\|[^0-9])") { fix_ver = "12.2.1.2.180717"; fix = make_list("27741413"); } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.180717"; fix = make_list("27919943"); } else if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.180717"; fix = make_list("B47X"); # patchid is obtained from the readme and 10.3.6.x assets are different } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); spad_log(message:"checking fix [" + obj_rep(fix) + "]"); PATCHED=FALSE; # Iterate over the list of patches and check the install for the patchID foreach id (fix) { spad_log(message:"Checking fix id: [" + id +"]"); if (install[id]) { PATCHED=TRUE; break; } } VULN=FALSE; if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) VULN=TRUE; if (PATCHED \|\| !VULN) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { port = get_kb_item("SMB/transport"); if (!port) port = 445; } else port = 0; report = '\n Oracle Home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Fixes : ' + join(sep:", ", fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);

Seebug

bulletinFamily	exploit
id	SSV:97419
last seen	2018-07-19
modified	2018-07-18
published	2018-07-18
reporter	My Seebug
title	WebLogic 反序列化远程命令执行漏洞(CVE-2018-2893)

Summary

Vulnerable Configurations

Nessus

Seebug

References