cbcvebase.
CVE-2020-11853
published 2020-10-22

CVE-2020-11853: Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05…

PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
76.99%
99.5th percentile
Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. 2.) Application Performance Management affecting versions : 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 3.) Data Center Automation affected version 2019.11 4.) Operations Bridge (containerized) affecting versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) Universal CMDB affecting version: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management affecting version 2020.05 7.) Service Management Automation affecting version 2020.5 and 2020.02. The vulnerability could allow to execute arbitrary code.

Affected

69 ranges· showing 25
VendorProductVersion rangeFixed in
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
hpuniversal_cmbd_foundation
micro_focusapplication_performance_management
micro_focusapplication_performance_management
micro_focusapplication_performance_management
micro_focusdata_center_automation
micro_focushybrid_cloud_management2018.05 – 2020.05
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_managerunspecified – 10.63
micro_focusoperations_bridge

Detection & IOCsextracted from sources · hover to see the quote

url/ucmdb-api/connect
url/ucmdb-ui/cms/loginRequest.do;
cookieLWSSO_COOKIE_KEY
otherHttpUcmdbServiceProviderFactoryImpl
otherServerVersion=11.6.0
  • Detect successful authentication by monitoring for 'LWSSO_COOKIE_KEY' in HTTP response headers from UCMDB endpoints, which indicates a session was established and may precede RCE exploitation.
  • Detect reconnaissance/fingerprinting of vulnerable UCMDB instances by monitoring GET requests to /ucmdb-api/connect returning HTTP 200 with body containing both 'HttpUcmdbServiceProviderFactoryImpl' and 'ServerVersion=11.6.0'.
  • The exploit chain involves two steps: (1) authentication using hardcoded 'diagnostics'/'admin' credentials, followed by (2) Java deserialization RCE using ysoserial CommonsBeanutils1 payload. Monitor for deserialization payloads in authenticated HTTP requests to UCMDB endpoints.
  • For the authenticated RCE variant (CVE-2020-11853), any valid low-privileged user's LWSSO_COOKIE_KEY session cookie can be used to trigger the Java deserialization. Monitor for anomalous deserialization payloads in requests from low-privileged accounts.
  • ·The unauthenticated RCE module targets UCMDB included in Operations Bridge Manager 2020.05 and below, but may also work against Operations Bridge Manager (containerized) and Application Performance Management — test scope accordingly.
  • ·The authenticated RCE module was only tested on Operations Bridge Manager despite the vulnerability affecting multiple Micro Focus products (OBM, APM, DCA, UCMDB, HCM, SMA).
  • ·Both Windows and Linux installations are vulnerable to the unauthenticated deserialization exploit chain.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.