Vulnerabilities > CVE-2018-3245 - Deserialization of Untrusted Data vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.3.0

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
oracle
CWE-502
critical
nessus
exploit available
NVD
Published: 2018-10-17
Updated: 2019-10-03

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerable Configurations

Part Description Count
Application
Oracle
3

Common Weakness Enumeration (CWE)

Exploit-Db

fileexploits/multiple/remote/46513.java
idEDB-ID:46513
last seen2019-03-07
modified2019-01-03
platformmultiple
port
published2019-01-03
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46513
titleOracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
typeremote

Nessus

NASL familyMisc.
NASL idORACLE_WEBLOGIC_SERVER_CPU_OCT_2018.NASL
descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - Vulnerabilities in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Easily exploitable vulnerabilities allow unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerabilities can result in takeover of Oracle WebLogic Server. Supported versions that are affected: - 10.3.6.0: CVE-2018-3191, CVE-2018-3245, CVE-2018-3252 - 12.1.3.0: CVE-2018-3191, CVE-2018-3197, CVE-2018-3245, CVE-2018-3252 - 12.2.1.3: CVE-2018-3191, CVE-2018-3201, CVE-2018-3245, CVE-2018-3252 - Vulnerabilities in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Easily exploitable vulnerabilities allow unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerabilities can result in unauthorized access to critical data. Supported versions that are affected: - 10.3.6.0: CVE-2018-3248, CVE-2018-3249, CVE-2018-3250 - 12.1.3.0: CVE-2018-3246 - 12.2.1.3: CVE-2018-3246 - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Docker Images). The supported version that is affected is prior to Docker 12.2.1.3.20180913. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2018-3213) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Console). Supported versions that are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2018-2902)
last seen2020-06-01
modified2020-06-02
plugin id118205
published2018-10-18
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/118205
titleOracle WebLogic Server Multiple Vulnerabilities (October 2018 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118205);
  script_version("1.5");
  script_cvs_date("Date: 2019/04/30 14:00:04");

  script_cve_id(
      "CVE-2018-3191",
      "CVE-2018-3197",
      "CVE-2018-3201",
      "CVE-2018-3245",
      "CVE-2018-3252",
      "CVE-2018-3246",
      "CVE-2018-3213",
      "CVE-2018-3249",
      "CVE-2018-3248",
      "CVE-2018-3250",
      "CVE-2018-2902"
  );
  script_bugtraq_id(
    105613,
    105606,
    105611,
    105628,
    105654
  );

  script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (October 2018 CPU)");
  script_summary(english:"Checks for the patch.");

  script_set_attribute(attribute:"synopsis", value:
"An application server installed on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities:

  - Vulnerabilities in the Oracle WebLogic Server component of Oracle 
    Fusion Middleware (subcomponent: WLS Core Components). Easily 
    exploitable vulnerabilities allow unauthenticated attacker 
    with network access via T3 to compromise Oracle WebLogic Server. 
    Successful attacks of this vulnerabilities can result in takeover 
    of Oracle WebLogic Server. Supported versions that are affected:
     - 10.3.6.0: CVE-2018-3191, CVE-2018-3245, CVE-2018-3252
     - 12.1.3.0: CVE-2018-3191, CVE-2018-3197, CVE-2018-3245, CVE-2018-3252
     - 12.2.1.3: CVE-2018-3191, CVE-2018-3201, CVE-2018-3245, CVE-2018-3252

  - Vulnerabilities in the Oracle WebLogic Server component of Oracle 
    Fusion Middleware (subcomponent: WLS - Web Services). Easily
    exploitable vulnerabilities allow unauthenticated attacker with
    network access via HTTP to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerabilities can result in
    unauthorized access to critical data. Supported versions that
    are affected:
     - 10.3.6.0: CVE-2018-3248, CVE-2018-3249, CVE-2018-3250
     - 12.1.3.0: CVE-2018-3246
     - 12.2.1.3: CVE-2018-3246

  - Vulnerability in the Oracle WebLogic Server component of Oracle
    Fusion Middleware (subcomponent: Docker Images). The supported
    version that is affected is prior to Docker 12.2.1.3.20180913.
    Easily exploitable vulnerability allows unauthenticated attacker
    with network access via T3 to compromise Oracle WebLogic Server.
    Successful attacks of this vulnerability can result in
    unauthorized access to critical data or complete access to all
    Oracle WebLogic Server accessible data. (CVE-2018-3213)

  - Vulnerability in the Oracle WebLogic Server component of Oracle
    Fusion Middleware (subcomponent: Console). Supported versions
    that are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable
    vulnerability allows low privileged attacker with network access
    via HTTP to compromise Oracle WebLogic Server. Successful attacks
    of this vulnerability can result in unauthorized read access to
    a subset of Oracle WebLogic Server accessible data.
    (CVE-2018-2902)");
  # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?705136d8");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2018 Oracle
Critical Patch Update advisory.

Refer to Oracle for any additional patch instructions or
mitigation options.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3191");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/18");

  script_set_attribute(attribute:"agent", value:"all");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl");
  script_require_keys("installed_sw/Oracle WebLogic Server");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("obj.inc");
include("spad_log_func.inc");

app_name = "Oracle WebLogic Server";

install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
ohome = install["Oracle Home"];
subdir = install["path"];
version = install["version"];

fix = NULL;
fix_ver = NULL;

spad_log(message:"checking version [" + version + "]");
# individual security patches
if (version =~ "^12\.2\.1\.3($|[^0-9])")
{
  fix_ver = "12.2.1.3.181016";
  fix = make_list("28298734");
}
else if (version =~ "^12\.1\.3\.")
{
  fix_ver = "12.1.3.0.181016";
  fix = make_list("28298916");
}
else if (version =~ "^10\.3\.6\.")
{
  fix_ver = "10.3.6.0.181016";
  fix = make_list("GENM"); # patchid is obtained from the readme and 10.3.6.x assets are different
}
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

spad_log(message:"checking fix [" + obj_rep(fix) + "]");
PATCHED=FALSE;

# Iterate over the list of patches and check the install for the patchID
foreach id (fix)
{
 spad_log(message:"Checking fix id: [" + id +"]");
 if (install[id])
 {
   PATCHED=TRUE;
   break;
 }
}

VULN=FALSE;
if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
  VULN=TRUE;

if (PATCHED || !VULN)
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

os = get_kb_item_or_exit("Host/OS");
if ('windows' >< tolower(os))
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;
}
else port = 0;

report =
  '\n  Oracle Home    : ' + ohome +
  '\n  Install path   : ' + subdir +
  '\n  Version        : ' + version +
  '\n  Fixes          : ' + join(sep:", ", fix);

security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/152014/oraclewls-deserializeexec.txt
idPACKETSTORM:152014
last seen2019-03-08
published2019-03-07
reporterAllyshka
sourcehttps://packetstormsecurity.com/files/152014/Oracle-Weblogic-Server-Deserialization-Remote-Command-Execution.html
titleOracle Weblogic Server Deserialization Remote Command Execution

References