易记彩票

OracleCoherence反序列化远程代码执行漏洞

2020年03月06日 作者: 瀚思科技

漏洞概述

JINRI,HANSIKEJIANQUANTUANDUIGUANZHUDAOOracle CoherenceFANXULIEHUAYUANCHENGDAIMAZHIXINGLOUDONG(CVE-2020-2555)BEIGONGKAI,CVSSPINGFENWEI9.8,GAILOUDONGYUNXUWEIJINGSHENFENYANZHENGDEGONGJIZHETONGGUOGOUZAOJINGXINGOUZAOT3WANGLUOXIEYIQINGQIUJINXINGGONGJI,KEZAIMUBIAOZHUJISHANGZHIXINGRENYIDAIMA。 CoherenceWEIOracleRONGHEYIJICAIPIAODEYIGEZHONGJIANJIAN,QIZHUYAOYONGYUTIGONGDUISHUJUDEGAOSUHUANCUNHEFANGWEN,YENEILIUXINGDEOracle WebLogicZAIWebLogic Server 12cJIYISHANGBANBENZHONGJICHENGLECoherenceKU。

风险等级

HULIANWANGYIYOUYANZHENGXINGPoCGONGKAI,GAILOUDONGDEWEIXIEHEYINGXIANGMIANDOUDAFUSHANGSHENG。

影响版本

Oracle Coherence 3.7.1.17

Oracle Coherence 12.1.3.0.0

Oracle Coherence 12.2.1.3.0

Oracle Coherence 12.2.1.4.0

漏洞详情

BENCILOUDONGGUANFANGBUDINGGENGXINLEDUILimitFilterLEItoStringFANGFAZHONGDUIextract()FANGFADEDIAOYONG,GENRUDUIYINGFANGFA

CHAZHAODAOJUBEIextract()FANGFABINGQIEKEYILIYONGDELEIReflectionExtractor,KEYITONGGUOCHUANRUCANSHUFANSHEZHIXINGMINGLING:

应对建议

  1. JINKUAIGENGXINOracle GUANFANGBUDING http://support.oracle.com/rs?type=doc&id=2602410.1

  2. RUZANSHIWUFASHENGJIBUDING,LINSHICHUZHICUOSHICANKAORUXIA: RUGUOQIYEZUZHIBUYILAIT3XIEYIJINXINGJVMTONGXIN,KEZANSHITONGGUOKONGZHIT3XIEYIDEFANGWENLAILINSHIZUDUANZHENDUILIYONGT3XIEYILOUDONGDEGONGJI。

JUTIJINRUWebLogicKONGZHITAI,ZAIbase_domainDEPEIZHIYEMIANZHONG,JINRUANQUANXUANXIANGKAYEMIAN,DIANJISHAIXUANQI,PEIZHISHAIXUANQI。ZAILIANJIESHAIXUANQIZHONGSHURU:weblogic.security.net.ConnectionFilterImpl

ZAILIANJIESHAIXUANQIGUIZEKUANGZHONGSHURU:

127.0.0.1 * * allow t3 t3s

0.0.0.0 * * deny t3 t3s

BAOCUNBINGZHONGQISHENGXIAO。

参考链接

http://www.oracle.com/security-alerts/cpujan2020.html