CVE-2020-2551: Unauthenticated RCE In Oracle WebLogic

Aon’s Cyber Solutions recently discovered a security vulnerability in WebLogic Server version v12.2.1.4 and below allowing for unauthenticated remote code execution. The vulnerability is present in the IIOP service that runs by default and listens on an external interface. This issue was discovered by Stefano Ciccone.

Aon would like to thank Oracle for working with us as part of our coordinated disclosure process.

Timeline:
09/26/19 – Initial disclosure to secalert_us@oracle.com
10/21/19 – Issue confirmed and reproduced by Oracle
01/14/20 – Oracle patches released
02/04/20 – Aon advisory released

Vendor Advisory:
https://www.oracle.com/security-alerts/cpujan2020.html

CVE-2020-2551: Unauthenticated Remote Code Execution in IIOP protocol via Malicious JNDI Lookup

Using the WebLogic libraries, it is possible to create a payload that causes a remote IIOP server to initialize a Java object that invokes a JNDI lookup to an attacker-controlled server, leading to code execution.

Exploitation of malicious JNDI lookups can be achieved in several ways. References are provided below, including a tool that can be used to respond to JNDI lookups from vulnerable applications.

• https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
• https://www.veracode.com/blog/research/exploiting-jndi-injections-java
• https://github.com/AonCyberLabs/evil-ldap-service