Coherence is a key component of Oracle in order to build a highly reliable and scalable cluster. Clustering refers to more than one App Server participating in the operation. The main purpose of Coherence is to share the objects of an application (mainly Java objects, such as a session Java object of a web application) and data (such as database data, which becomes Java objects after OR-MAPPING).
A blog published by Zerodayinitiative released a Coherence deserialization vulnerability, with number CVE-2020-2555 and CVSS score of 9.8, which is highly dangerous. The following content comes from the analysis of the blog.
We found exploit points through patches
The CVE-2020-2555 vulnerability is caused by an attacker who can pass in controllable parameters and call Java methods. In Java, the readObject () or readExternal () methods in the class can be called automatically. These two methods and any other methods available from within them can be regarded as the source of deserialized gadget.
The toString () method in the LimitFilter class was changed in the patch of CVE-2020-2555, as shown in the figure:
Patch toString () deletes the pair extract () all calls to the statement methods; the following will introduce extract () the importance of the method. The modification here is particularly interesting because we can access toString () through the readObject () method of various standard JRE classes (such as BadAttributeValueExpException)
As shown in the code above, a serialized instance of the BadAttributeValueExpException class can be used to call the toString () method of any class. This method can be used to access the toString () method of the LimitFilter class affected by this patch.
For use toString () as the entry point of the gadget example, see ysererial project CommonsCollections5 gadget.
Search for Sink Point
Sink refers to Java method calls with various side effects including:
-Create arbitrary files by calling FileOutputStream.write ()
-Execute arbitrary commands by calling Runtime.exec ()
-Call any method by calling any method
For this vulnerability, our focus is on the call to Method.invoke (), which can call any Java method through reflection. After understanding that, we can find all instances of the extract () method, and eventually call Method.invoke (). In the Coherence library, there seems to be only such an instance of a serializable class (implementing the Serializable or Externalizable interface).
After viewing the ReflectionExtractor class, we can confirm the previous speculation:
ReflectionExtractor provides dangerous primitives, allowing an attacker to call arbitrary methods, and the attacker can control the methods and parameters.
Generally, multiple method calls are required to exploit remote code execution vulnerabilities. For example, in the popular Apache Commons Collections of gadgets, attackers need to use ChainedTransformer arbitrary method calls connected in series to achieve RCE. Similarly, the Coherence library also provides such a class (ChainedExtractor), which allows us to concatenate the extract () call:
Combining the above information, we can use the following call chain to finally achieve remote code execution:
If the target environment uses the Coherence library, and the attacker can deliver malicious serialized objects, then the attacker can achieve remote code execution.
Since Chris Frohoff and Gabriel Lawrence 's speech on AppSecCali led to the so-called Java deserialization revelations in 2015 and 2016, researchers have been looking for deserialization errors to achieve reliable code execution. We have seen many such errors have been submitted to the program and used in the Pwn2Own Miami incident for SCADA applications. This is also one of the reasons why we pay special attention to deserialization errors in the "Trend Technology Security Prediction 2020" report. Thanks again VNPT ISC 's Jang for submitting this error to the program, we hope to receive more of his report.
We use WebLogic 220.127.116.11 environment to reproduce. The malicious serialized data is passed in through the T3 protocol, and the malicious code is executed when the server is parsed as shown in the figure:
Affected Oracle Coherence Versions
Oracle Coherence 18.104.22.168.0
Oracle Coherence 22.214.171.124.0
Oracle Coherence 126.96.36.199.0
Oracle Coherence 188.8.131.52
Mar 6, 2020 Oracle released a critical patch for fixing CVE-2020-2555 vulnerability in Jan 2020.
Mar 6, 2020 Sangfor FarSight Labs release an article about this vulnerability.
Mar 10, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.
The official has released a patch for this vulnerability, please refer to the following link to install the patch update: https://www.oracle.com/security-alerts/cpujan2020.html
Control T3 Service
Select Security>Filters on the above, then select "Filter" and enter the following:
Then enter the following in Connection Filter Rules
127.0.0.1 * * allow t3 t3s,0.0.0.0/0 * * deny t3 t3s
Click save and restart server to take effect.
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.
Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.