Login Sign Up

CVE-2022-21292

7.5 HIGH

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via HTTP to access sensitive data. It affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, specifically in the Samples component. Successful exploitation could lead to unauthorized access to critical server data.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.2.1.4.0 and 14.1.1.0.0
Operating Systems: All platforms running affected WebLogic versions
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the Samples component, which may be present in default installations.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all accessible Oracle WebLogic Server data, potentially including sensitive application data, configuration files, and credentials.

🟠

Likely Case

Unauthorized access to sensitive data stored in or accessible through the WebLogic Server, potentially leading to data breaches.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' with network access via HTTP and no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update from January 2022 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2022.html

Restart Required: Yes

Instructions:

1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's documentation. 3. Restart WebLogic Server instances. 4. Verify the patch was applied successfully.

🔧 Temporary Workarounds

Remove Samples component

all

Remove or disable the vulnerable Samples component from WebLogic Server installations.

Consult Oracle documentation for removing specific components

Network access restrictions

all

Implement network-level controls to restrict HTTP access to WebLogic Server instances.

firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to WebLogic Server instances
  • Monitor for unusual HTTP traffic patterns and access attempts to WebLogic endpoints

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and verify if Samples component is installed/enabled.

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application through Oracle WebLogic Console or version check commands, and confirm Samples component is either patched or removed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to WebLogic Samples endpoints
  • Unauthorized access attempts to sensitive data paths

Network Indicators:

  • HTTP traffic to WebLogic Server on unusual ports or paths
  • Unusual data exfiltration patterns

SIEM Query:

source="weblogic" AND (uri="*samples*" OR uri="*sample*" OR status=200 AND bytes_out>threshold)

📊 Metadata

CVE ID: CVE-2022-21292
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: January 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON