Hacking Book | Free Online Hacking Learning

Home

national information security vulnerability sharing platform

Posted by patinella at 2020-03-17
all

Safety Notice No.: cnta-2017-0051

Recently, there has been an attack utilization analysis against the bypass of Weblogic Java deserialization vulnerability (cnvd-2015-07707, corresponding to cve-2015-4852) patch on the Internet. The official vendor (Oracle company) released the Weblogic Java deserialization vulnerability patch in November 2015. The vulnerability patch can be bypassed due to the incomplete blacklist interception method. In the future, it needs to be fixed through two new patches.

1、 Vulnerability analysis

According to the current analysis, the patch of Weblogic Java deserialization vulnerability uses the blacklist method to filter dangerous deserialization classes, which has the risk of being bypassed. At present, the way to exploit the vulnerability on the Internet is mainly obtained through reverse analysis of two new patches disclosed later. Among them:

The analysis of Oracle weblogicserver remote security vulnerability (cnvd-2017-00919, cve-2017-3248) shows that the deserialization class outside the blacklist can be used to execute arbitrary deserialization payload through jrmp protocol. Java Remote Message Exchange Protocol jrmp is java remote messaging protocol, which is specific to Java technology and used to find and reference remote objects.

For cnvd-2016-02481, cve-2016-0638 vulnerability analysis shows that the deserialized object is encapsulated in weblogic.corba.utils.marshaledobject, and then the marshaledobject is serialized to generate payload bytecode. Because the marshaledobject is not in the Weblogic blacklist, it can be deserialized normally. During deserialization, the marshaledobject calls readObject to deserialize the marshaledobject encapsulated serialization object again, which can bypass the blacklist limit.

Cnvd's comprehensive rating of the above risks is "high risk".

2、 Scope of vulnerability

The vulnerability affects Oracle weblogicserver before 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1.

3、 Suggestions for bug repair

It is recommended that users of relevant versions update with the latest patch in time:

Attachment: reference link:

Note: this announcement refers to the analysis results provided by Qiming star company, a member of cnvd technical team.