Login Sign Up

CVE-2021-2047

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via IIOP or T3 protocols to completely compromise the server. Affected versions include 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0, putting many Oracle Fusion Middleware deployments at risk of complete takeover.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability affects Core Components and requires IIOP or T3 protocol access. Default installations with these protocols enabled are vulnerable.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, system destruction, and use as pivot point for lateral movement within the network.

🟠

Likely Case

Remote code execution leading to installation of malware, backdoors, or ransomware on the WebLogic Server.

🟢

If Mitigated

Limited impact if network segmentation blocks IIOP/T3 traffic from untrusted networks and proper authentication is enforced.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploit with CVSS 9.8 score makes internet-facing servers immediate targets.
🏢 Internal Only: HIGH - Even internally, unauthenticated network access via IIOP/T3 could allow attackers who breach perimeter to pivot and compromise servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Easily exploitable with public proof-of-concept code available. Attackers can exploit without credentials via network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update (CPU) January 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download appropriate Critical Patch Update from Oracle Support. 2. Apply patch to affected WebLogic Server installations. 3. Restart WebLogic Server instances. 4. Verify patch application via version check.

🔧 Temporary Workarounds

Block IIOP/T3 Protocols

linux

Restrict network access to IIOP (port 7001 by default) and T3 protocols from untrusted networks

iptables -A INPUT -p tcp --dport 7001 -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="7001" reject'

Disable T3 Protocol

all

Configure WebLogic to disable T3 protocol if not required

In WebLogic console: Domain > Security > Filter > Enable T3 Filter
Set weblogic.security.net.ConnectionFilterImpl property

🧯 If You Can't Patch

  • Implement strict network segmentation to block IIOP/T3 traffic from untrusted sources
  • Deploy Web Application Firewall (WAF) with specific rules to detect and block exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check WebLogic version via console or command: java weblogic.version

Check Version:

java weblogic.version 2>&1 | grep -i "WebLogic Server"

Verify Fix Applied:

Verify patch application by checking version is newer than affected versions and reviewing patch logs

📡 Detection & Monitoring

Log Indicators:

  • Unusual IIOP/T3 connection attempts
  • Unexpected process execution from WebLogic
  • Authentication bypass attempts in security logs

Network Indicators:

  • IIOP/T3 traffic from unexpected sources
  • Large payloads over T3 protocol
  • Suspicious serialized object transfers

SIEM Query:

source="weblogic.log" AND ("IIOP" OR "T3") AND ("error" OR "exception" OR "malformed")

📊 Metadata

CVE ID: CVE-2021-2047
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON