Description

Oracle announced a critical patch update to address a vulnerability (CVE-2020-2551) found in its WebLogic Server that affects the product's WLS Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this vulnerability by crafting a Java object to execute arbitrary Java code in the context of the WebLogic server.

Remediation

Upgrade to the latest version of Oracle WebLogic Server. This issue was fixed in Oracle Critical Patch Update - October 2020. Or disable/restrict access to IIOP protocol

References

Oracle Critical Patch Update Advisory - January 2020

Unauthenticated Remote Code Execution in IIOP protocol via Malicious JNDI Lookup

Related Vulnerabilities

XML external entity injection via File Upload

Apache Solr Deserialization of untrusted data via jmx.serviceUrl

node-serialize Insecure Deserialization

Keycloak request_uri SSRF (CVE-2020-10770)

Rails remote code execution using render :inline

Severity

High

Classification

CVE-2020-2551 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Acumonitor Code Execution