CPU July 2024 fix for CVE-2024-21181 and more. Why is so important to apply these fixes on your WebLogic Enviroment?
Hi friends,
Oracle released the Critical Patch Update of July 2024 with more of 386 new security patches across the product families. Here I'll try to demonstrate how a T3/IIOP vulnerability could be disastrous in your WebLogic environment, even if it is hosted on cloud or on premises
First, a little bit of WebLogic T3/IIOP protocol history:
WebLogic T3 protocol was developed by Bea Systems and owned by Oracle. Is used for communication between WebLogic Server instances and clients, including for internal server communications.
Common vulnerabilities include deserialization attacks, which can lead to remote code execution, and improper authentication or authorization, potentially allowing unauthorized access to sensitive functions.
In this scenario described here I show you how an intruder with network access can exploit WebLogic environment and access all features (including security realms. database data, streaming content etc)
This is a WebLogic Server 12.2.1.4 version but without patches, just the default installation. It's only necessary to know the console URL:
We'll use a python script to exploit this vulnerability:
After script execution a reverse shell is created. At this point the intruder can execute any command inside WebLogic host at SO level. Example:
It's possible to decrypt passwords, access database connections, log files etc.
In this demo you can see the importance to have a good patching policy to your WebLogic environments. Some applications can use other ports to communicate with legacy systems using T3/IIOP. Pay attention on identify and monitoring these ports.
See ya!
Rogerio Cruz is a Fusion Middleware Specialist, Post Graduated on Cybersecurity and Business Digital Protection. More than 25 years of experience in Information Technology with experience on Fusion Middleware security architecture,? cloud security and vulnerability management.
香港交易所 - 首å¸è´¢åŠ¡å®˜
5 个月I read your article and found a problem,CVE 2020-14882 Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0。和CVE-2024-21181 An existing version is duplicated,Then the POC I used should be CVE-2024-21181 or CVE 2020-14882?Looking forward to your answer
Freelance Information Technology (IAM, Cloud, Middleware, Cyber Security) Consultant
8 个月Great advice!