CVE-2024-21175: Unpatched Vulnerability in Oracle WebLogic Server

Attention to all Oracle WebLogic Server users! A recent high-risk vulnerability, CVE-2024-21175, has been discovered, and this post will guide you through understanding the severity, exploit details, and mitigation measures available for this issue. This vulnerability affects Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) and the supported versions 12.2.1.4. and 14.1.1... This easily exploitable flaw allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server by unauthorized creation, deletion, or modification of critical data or all accessible data.

Exploit Details

The vulnerability has been assigned a CVSS (Common Vulnerability Scoring System) 3.1 Base Score of 7.5 (out of 10), indicating a significant impact on Integrity. The CVSS Vector for this issue is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), which translates to the following attributes:

Availability: None (A:N)

This vulnerability permits an unauthenticated attacker to compromise Oracle WebLogic Server, potentially leading to unauthorized access to critical data.

Code Snippet

Although the full exploit code hasn't been released publicly, one can assume that the exploit is relatively simple given its low attack complexity, and it involves sending crafted HTTP requests (for example, using the HTTP POST method) to specific Oracle WebLogic Server endpoints.

Example (without the specific exploit details)

import requests

url = "http://<target>:<port>/vulnerable_endpoint";
data = "<crafted_request>"
headers = {"Content-Type": "application/xml"}

response = requests.post(url, data=data, headers=headers)

Take note that this is a generic example which doesn't contain the actual exploit code, as releasing such information could lead to more systems being compromised.

For more details about this vulnerability, the original references can be found at

- Oracle Critical Patch Update (CPU) Advisory: https://www.oracle.com/security-alerts/cpu.html
- CVE Details page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21175

Mitigation Measures

Oracle has released a Critical Patch Update (CPU) that addresses this vulnerability. Users are strongly advised to apply the patch as soon as possible to prevent any potential compromise of their systems. Patching instructions can be found on Oracle's site:

- Oracle's Patching Instructions: https://docs.oracle.com/en/middleware/weblogic-server-security/121/secwl/update-wls.html

Furthermore, it's recommended to use strong authentication and authorization mechanisms, restrict remote access to administrative interfaces, and deploy Web Application Firewalls (WAF) to help protect your WebLogic Server from other vulnerabilities that may be discovered in the future.

Conclusion

CVE-2024-21175 is a high-risk vulnerability that affects Oracle WebLogic Server versions 12.2.1.4. and 14.1.1... It can be exploited remotely over HTTP by an unauthenticated attacker to compromise the integrity of the targeted system. By promptly applying Oracle's Critical Patch Update (CPU) and following proper security practices, you can protect your Oracle WebLogic Server from potential attacks.

Timeline

Published on: 07/16/2024 23:15:21 UTC
Last modified on: 07/19/2024 13:35:41 UTC