Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950
Description
Oracle Business Intelligence Enterprise Edition (OBIEE) contains a critical deserialization vulnerability in its Action Message Format (AMF) processing component. When the application deserializes untrusted AMF data without proper validation, attackers can inject malicious serialized objects that execute arbitrary code upon deserialization. This vulnerability affects unauthenticated endpoints, allowing remote attackers to compromise the system without requiring valid credentials.
Remediation
Apply the security patches provided in Oracle's Critical Patch Update (CPU) for April 2020 immediately. Follow these remediation steps:
1. Immediate Action: Review Oracle's April 2020 CPU advisory and identify the specific patch applicable to your OBIEE version
2. Apply Patches: Download and install the latest security patches from Oracle Support (My Oracle Support). Ensure you follow Oracle's patch installation guidelines for your specific deployment
3. Verify Patch Installation: After patching, verify the fix by checking the OBIEE version and reviewing system logs for any patch-related errors
4. Network Segmentation: As a defense-in-depth measure, restrict network access to OBIEE servers using firewalls and access control lists, limiting exposure to trusted networks only
5. Monitor for Exploitation: Review logs for suspicious AMF requests or unexpected DNS queries to external domains (such as .bxss.me or similar) that may indicate exploitation attempts
If immediate patching is not possible, consider temporarily disabling AMF endpoints or implementing a Web Application Firewall (WAF) rule to block suspicious AMF traffic until patches can be applied.