Full Report
CISA has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched two years ago and is now actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: Active Exploitation of Oracle WebLogic Server Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2024-21182
- **CVSS Score:** 9.8 (Critical/High Severity)
- **CWE:** Improper Input Validation / Unsafe Deserialization (Standard for WebLogic T3/IIOP flaws)
## Affected Systems
- **Products:** Oracle WebLogic Server
- **Versions:** 12.2.1.4.0 and 14.1.1.0.0
- **Configurations:** Systems with T3 or IIOP protocols enabled and accessible over the network.
## Vulnerability Description
CVE-2024-21182 is a high-severity vulnerability that allows an unauthenticated attacker with network access via the **T3** or **IIOP** protocols to compromise Oracle WebLogic Server. The flaw typically involves the way WebLogic handles data serialized through these protocols, allowing an attacker to execute unauthorized commands or gain complete access to all data accessible by the server.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV catalog).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Complete access to all Oracle WebLogic Server data).
- **Integrity:** Total (Unauthorized modification of data/system state).
- **Availability:** Total (Potential for full system takeover or service disruption).
## Remediation
### Patches
- Oracle released security patches for this vulnerability in the **July 2024 Critical Patch Update (CPU)**.
- Organizations should ensure they have updated to the latest supported patch sets for versions 12.2.1.4.0 and 14.1.1.0.0.
### Workarounds
- **Protocol Blocking:** If the T3 and IIOP protocols are not required for business operations, block them at the firewall or through WebLogic connection filters.
- **Access Control:** Restrict T3/IIOP access to only trusted internal IP addresses.
- **Decommissioning:** CISA recommends discontinuing use of the product if mitigations cannot be applied.
## Detection
- **Indicators of Compromise:** Monitor for unusual inbound traffic on ports **7001** (default WebLogic port) utilizing T3 or IIOP protocols from unknown external IPs.
- **Detection methods and tools:**
- Use Shodan or similar attack surface management tools to identify exposed WebLogic instances.
- Audit server logs for unauthorized access to critical data or unexpected system-level command executions.
## References
- **Vendor Advisory:** hxxp[://]www[.]oracle[.]com/security-alerts/cpujul2024[.]html
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-21182