cbcvebase.
CVE-2020-11854
published 2020-10-27

CVE-2020-11854: Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.23%
99.4th percentile
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
micro_focusapplication_performance_management
micro_focusapplication_performance_management
micro_focusapplication_performance_management
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_manager
micro_focusoperation_bridge_managerunspecified – 10.10
microfocusapplication_performance_management
microfocusapplication_performance_management

Detection & IOCsextracted from sources · hover to see the quote

url/ucmdb-ui/cms/loginRequest.do;
url/ucmdb-api/connect
cookieLWSSO_COOKIE_KEY
otherdiagnostics:admin
otherCommonsBeanutils1 (ysoserial payload)
  • Detect exploitation attempts by monitoring POST requests to /ucmdb-ui/cms/loginRequest.do with username=diagnostics and password matching base64-encoded 'admin', indicating use of the hardcoded credential.
  • Detect vulnerable UCMDB instances by checking GET /ucmdb-api/connect for response body containing both 'HttpUcmdbServiceProviderFactoryImpl' and 'ServerVersion=11.6.0' with HTTP 200.
  • Presence of LWSSO_COOKIE_KEY in response headers after login to /ucmdb-ui/cms/loginRequest.do indicates successful authentication with default diagnostics credentials, a precursor to RCE chaining.
  • The exploit chains hardcoded credential abuse (CVE-2020-11854) with Java deserialization via ysoserial CommonsBeanutils1; monitor for large serialized Java object payloads sent to UCMDB HTTP endpoints post-authentication.
  • ·The hardcoded credential (diagnostics/admin) is the root enabler of unauthenticated RCE; this is a static credential baked into the product, not a user-configurable value.
  • ·The Nuclei template fingerprints specifically ServerVersion=11.6.0 in the /ucmdb-api/connect response; detections scoped to this version string may miss other vulnerable versions.
  • ·The Metasploit module notes the exploit 'can probably also be used' against Operations Bridge Manager (containerized) and APM, but primary testing was against OBM 2020.05 and below.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.