Problem Description:
When the server is deployed on the user’s server and system services are scanned, webLogic CVE-2018-3252 vulnerabilities are found on the server. After repeated verification and searching for a lot of information in the company, it was finally confirmed that the problem was the port. The default port for WebLogic is 7001 and the default port for the project is 7001. Then the scanning software will generally have a fixed verification method to confirm the existence of the vulnerability, for example, 3252 POC (opinion proof), is to launch a fixed address request to 7001 if successful, indicating that there is a vulnerability.
Solution process:
Because the scanner was provided by a third party, and the scan report did not specify how many lines CVE-2018-3252 was in the server’s new project, the troubleshooting process began by guessing where the problem was. 1. Since there was no useful information in the scan report, except the number of the vulnerability, I searched the data to find the vulnerability in the field and found it was the deserialization vulnerability of WebLogic.Official patch link
2. Then I want to go to the official website to download the patch to repair it (in fact, our project does not use Weblogic at all). The patch download on the official website of OralCE is also a pit, and only the oracle Support Identifier account can be downloaded. The easy way to do this is to buy the Oracle product and pay for the account (really, if you use open source Java, you have to pay for the fix to download the patch). So I thought of a trick to go to universal Taobao to see if there is such an account can rent, search taobao can help download patch services, added the merchant’s wechat asked, download a patch to 80RMB.
3. If a colleague hadn’t reminded me, I might have bought a service to download patches. My colleague said that we did not use weblogic service at all, so why did we have weblogic vulnerability? This sentence woke me up, so I wondered if it was caused by our project quoting Weblogic JAR package or something. Cve-2018-3252: CVE-2018-3252: CVE-2018-3252: CVE-2018-3252: CVE-2018-3252: CVE-2018-3252
4. Later, I came up with another solution, that if we use the same server, the code will also be scanned for vulnerabilities on the test server, so I went to the Internet to find a tool to scan WebLogic and found a Python script on Github. Since the code is open source, see how python scripts detect vulnerabilities in CVE-2018-3252.
The POC is a request sent to port 7001 of the server with account secret information. If it returns 401 or 500, it is compromised. 401 is not authenticated, indicating that the request is open, but there is no login. 500 indicates that the request for this path is also passable, but it may have incorrect parameters or internal processing exceptions. But only if 401 or 500 is detected can an attacker use this path to repeatedly attempt to attack the server. Therefore, the POC returned the expected result because the port set by our project happened to be 7001, and the interceptor was also set to return 401 if there was no login. Therefore, the vulnerability of CVE-2018-3252 was scanned when both conditions met, which was an error.
Solution:
1. Change the port number in application. Yaml of config in the back-end project from 7001 to 7003, save the Settings, exit, and restart the back-end. 2. Change 7001 in the nginx configuration mapped to the back-end server to 7003, save the exit file, and restart nginx.
Conclusion:
1. I gained a lot of new knowledge by solving this vulnerability, such as POC, CVE and other terms in the security field, and ways of scanning vulnerabilities. I also learned that Oracle would charge for repairing patches. It is found that the original scanning vulnerability is to use a set of specific ways to test the return results, if the results are in line with the expected is a vulnerability. So security tools on the web might look for vulnerabilities in the same way, but there might not be any, because the computers that might be detected have all sorts of strange combinations that the tools might mistake for vulnerabilities. If it is determined that there are no vulnerabilities but strange vulnerabilities are scanned, analyze them on a case-by-case basis and see how the POC that scans vulnerabilities is verified.
References:
Security domain name description 2. Python3 WebLogic vulnerability detection script 3. Oracle WebLogic upgrade patch 4. Public Vulnerability library 5. National Information Security Library 6. POC of CVE-2018-3252