Unauthenticated Remote Code Execution in IIOP protocol via Malicious JNDI Lookup.
Stroz Friedberg’s Cyber Solutions recently discovered a security vulnerability in WebLogic Server version v12.2.1.4 and below allowing for unauthenticated remote code execution. The vulnerability is present in the IIOP service that runs by default and listens on an external interface. This issue was discovered by Stefano Ciccone.
Stroz Friedberg would like to thank Oracle for working with us as part of our coordinated disclosure process.
CVE-2020-2551: Unauthenticated Remote Code Execution in IIOP protocol via Malicious JNDI Lookup
Using the WebLogic libraries, it is possible to create a payload that causes a remote IIOP server to initialize a Java object that invokes a JNDI lookup to an attacker-controlled server, leading to code execution.
Exploitation of malicious JNDI lookups can be achieved in several ways. References are provided below, including a tool that can be used to respond to JNDI lookups from vulnerable applications.
LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
