PoC Releases for CVE-2024-21006: Hackers Can Take Over Oracle WebLogic Server

The technical details and proof-of-concept (PoC) code are now available for a high-severity vulnerability (CVE-2024-21006) in the Oracle WebLogic Server that allows remote attackers to compromise the Oracle WebLogic Server. With a CVSS score of 7.5, this vulnerability, if successfully exploited, could allow attackers to gain unauthorized access to sensitive data or even take full control of your Oracle WebLogic Server.

The Vulnerability Explained

The vulnerability was rooted in the T3/IIOP protocols of the Oracle WebLogic Server, allowing unauthenticated attackers to send malicious requests to extract sensitive information from the affected servers. The exploitation of these flaws could lead to unauthorized access to critical data, or, in severe cases, complete access to all accessible data on the Oracle WebLogic Server.

The affected versions include:

• WebLogic Server 12.2.1.4.0
• WebLogic Server 14.1.1.0.0

Oracle has ceased maintenance on multiple older versions of WebLogic Server, including versions 10.3.6.0, 11.1.1.9, and 12.1.3.0, increasing the risk for organizations still operating on these unsupported versions.

Technical Insights

Security researcher pwnull who has been credited for reporting this flaw, also published the technical details.

The vulnerabilities primarily involve improper handling of a client’s lookup operation in the WebLogic Server. Specifically, when a target class implementing the OpaqueReference interface is engaged, its getReferent method could trigger a Java Naming and Directory Interface (JNDI) injection. Although Oracle has implemented checks and restrictions on properties like java.naming.factory.initial and java.naming.provider.url to mitigate such risks, these measures were insufficient to prevent the identified exploits.

Additionally, if the java.naming.factory.object property is configured to an objectfactory class during the initialization of InitialContext, the getObjectInstance method of this class could also initiate a JNDI injection. Notably, the MessageDestinationObjectFactory class in WebLogic was vulnerable to this exploit.

Recently, security researcher momika233 released the PoC exploit code for CVE-2024-21006.

Security Response and Mitigation

Upon the discovery of these vulnerabilities, Oracle was quick to release patches to address the flaws. Users of affected WebLogic Server versions are urged to download and install these patches promptly to ensure comprehensive protection. The patches can be found in Oracle’s official notices, with installation instructions detailed in the accompanying readme files.

For those unable to immediately install the updates, we recommended temporary protective measures:

1. Restricting T3 Protocol Access:
   • Utilize WebLogic’s default connection filter, weblogic.security.net.ConnectionFilterImpl, to control access specifically for the T3 and T3s protocols.
2. Disabling IIOP Protocol:
   • Through the WebLogic console, navigate to Service > AdminServer > Protocol, deselect “Enable IIOP,” and restart the server to enforce this configuration change.

These interim solutions provide essential safeguards against potential exploits, but they are not substitutes for the comprehensive security enhancements offered by the official patches.