Login Sign Up

CVE-2021-35617

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via IIOP to completely compromise the server. Affected versions include 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful exploitation results in full server takeover with complete loss of confidentiality, integrity, and availability.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Coherence Container component. IIOP protocol must be enabled (default in many configurations).

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of WebLogic Server leading to data theft, system destruction, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to web shell installation, credential harvesting, and persistence establishment.

🟢

If Mitigated

Limited impact if IIOP access is blocked at network perimeter or authentication is required.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploit with CVSS 9.8 score makes internet-facing systems immediate targets.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-accessible attacker due to unauthenticated nature.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS describes as 'easily exploitable' with low attack complexity. While no public PoC exists, similar WebLogic vulnerabilities are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply October 2021 Critical Patch Update (CPU)

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download October 2021 Critical Patch Update from Oracle Support. 2. Apply patch to affected WebLogic Server instances. 3. Restart WebLogic Server and managed servers. 4. Verify patch application.

🔧 Temporary Workarounds

Disable IIOP Protocol

all

Block or disable IIOP protocol access to prevent exploitation

In WebLogic Console: Domain > Security > General > Enable IIOP: false
Network firewall: block TCP port 7001 (default IIOP) and any custom IIOP ports

Network Segmentation

all

Restrict network access to WebLogic servers

Firewall rules: Allow only trusted IPs to access WebLogic ports
Implement network ACLs to limit IIOP traffic

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to block all IIOP traffic from untrusted networks
  • Deploy web application firewall (WAF) with specific rules to detect and block IIOP-based attack patterns

🔍 How to Verify

Check if Vulnerable:

Check WebLogic version via console or command: java weblogic.version | grep 'WebLogic Server'

Check Version:

java weblogic.version

Verify Fix Applied:

Verify October 2021 CPU patch is applied: Check patch inventory or version details show post-October 2021 updates

📡 Detection & Monitoring

Log Indicators:

  • Unusual IIOP connection attempts
  • Unexpected process creation from WebLogic
  • Authentication bypass attempts in logs

Network Indicators:

  • IIOP traffic from unusual sources
  • Large IIOP payloads
  • Multiple failed IIOP connections followed by successful ones

SIEM Query:

source="weblogic.log" AND ("IIOP" OR "CORBA") AND ("error" OR "exception" OR "malformed")

📊 Metadata

CVE ID: CVE-2021-35617
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON