漏洞概述

JINRI，HANSIKEJIANQUANTUANDUIGUANZHUDAOOracle CoherenceFANXULIEHUAYUANCHENGDAIMAZHIXINGLOUDONG（CVE-2020-2555）BEIGONGKAI，CVSSPINGFENWEI9.8，GAILOUDONGYUNXUWEIJINGSHENFENYANZHENGDEGONGJIZHETONGGUOGOUZAOJINGXINGOUZAOT3WANGLUOXIEYIQINGQIUJINXINGGONGJI，KEZAIMUBIAOZHUJISHANGZHIXINGRENYIDAIMA。 CoherenceWEIOracleRONGHEYIJICAIPIAODEYIGEZHONGJIANJIAN，QIZHUYAOYONGYUTIGONGDUISHUJUDEGAOSUHUANCUNHEFANGWEN，YENEILIUXINGDEOracle WebLogicZAIWebLogic Server 12cJIYISHANGBANBENZHONGJICHENGLECoherenceKU。

风险等级

HULIANWANGYIYOUYANZHENGXINGPoCGONGKAI，GAILOUDONGDEWEIXIEHEYINGXIANGMIANDOUDAFUSHANGSHENG。

影响版本

Oracle Coherence 3.7.1.17

Oracle Coherence 12.1.3.0.0

Oracle Coherence 12.2.1.3.0

Oracle Coherence 12.2.1.4.0

漏洞详情

BENCILOUDONGGUANFANGBUDINGGENGXINLEDUILimitFilterLEItoStringFANGFAZHONGDUIextract()FANGFADEDIAOYONG，GENRUDUIYINGFANGFA

CHAZHAODAOJUBEIextract()FANGFABINGQIEKEYILIYONGDELEIReflectionExtractor，KEYITONGGUOCHUANRUCANSHUFANSHEZHIXINGMINGLING：

应对建议

1. JINKUAIGENGXINOracle GUANFANGBUDING http://support.oracle.com/rs?type=doc&id=2602410.1

2. RUZANSHIWUFASHENGJIBUDING，LINSHICHUZHICUOSHICANKAORUXIA： RUGUOQIYEZUZHIBUYILAIT3XIEYIJINXINGJVMTONGXIN，KEZANSHITONGGUOKONGZHIT3XIEYIDEFANGWENLAILINSHIZUDUANZHENDUILIYONGT3XIEYILOUDONGDEGONGJI。

JUTIJINRUWebLogicKONGZHITAI，ZAIbase_domainDEPEIZHIYEMIANZHONG，JINRUANQUANXUANXIANGKAYEMIAN，DIANJISHAIXUANQI，PEIZHISHAIXUANQI。ZAILIANJIESHAIXUANQIZHONGSHURU：weblogic.security.net.ConnectionFilterImpl

ZAILIANJIESHAIXUANQIGUIZEKUANGZHONGSHURU：

127.0.0.1 * * allow t3 t3s

0.0.0.0 * * deny t3 t3s

BAOCUNBINGZHONGQISHENGXIAO。

参考链接

http://www.oracle.com/security-alerts/cpujan2020.html