CVE-2022-21371 – CVE-2022-21371 is a local file inclusion vulner... (How to Fix)

Q: What is the severity of CVE-2022-21371?

CVE-2022-21371 has a CVSS score of 7.5 (HIGH). CVE-2022-21371 is a local file inclusion vulnerability in Oracle WebLogic Server's web container that allows unauthenticated attackers with network access via HTTP to read arbitrary files on the server. This affects Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, potentially exposing sensitive configuration files, credentials, and other critical data.

📋 TL;DR

CVE-2022-21371 is a local file inclusion vulnerability in Oracle WebLogic Server's web container that allows unauthenticated attackers with network access via HTTP to read arbitrary files on the server. This affects Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, potentially exposing sensitive configuration files, credentials, and other critical data.

💻 Affected Systems

Products:

Oracle WebLogic Server

Versions: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Operating Systems: All supported platforms (Windows, Linux, Unix)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Web Container component. All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all accessible data on the WebLogic Server, including configuration files, credentials, application source code, and sensitive business data.

🟠

Likely Case

Unauthorized access to sensitive files like weblogic.xml, config.xml, keystores, and application configuration files containing credentials.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and monitoring detecting file access attempts.

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access makes internet-facing instances extremely vulnerable to automated scanning and exploitation.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on Packet Storm Security. The vulnerability requires only HTTP access with no authentication, making exploitation trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update January 2022

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2022.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches according to Oracle documentation. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict HTTP access to WebLogic Server to trusted IP addresses only

Use firewall rules: iptables -A INPUT -p tcp --dport 7001 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP

WebLogic Network Channel Filter

all

Configure WebLogic network channels to restrict access

Configure in WebLogic Console: Environment > Servers > [server] > Protocols > Channels

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to WebLogic Server
Apply file system permissions to restrict read access to sensitive configuration files

🔍 How to Verify

Check if Vulnerable:

Check WebLogic version via console or command: java weblogic.version

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application via Oracle OPatch utility: opatch lsinventory

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in WebLogic access logs
HTTP requests with suspicious path traversal patterns

Network Indicators:

HTTP requests containing '../' patterns or attempts to access known configuration files

SIEM Query:

source="weblogic_access.log" AND (uri="*../*" OR uri="*/config.xml*" OR uri="*/weblogic.xml*")

📊 Metadata

CVE ID: CVE-2022-21371

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: January 19, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165736/Oracle-WebLogic-Server-14.1.1.0.0-Local-File-Inclusion.html Exploit,Third Party Advisory,VDB Entry
https://www.oracle.com/security-alerts/cpujan2022.html Vendor Advisory
http://packetstormsecurity.com/files/165736/Oracle-WebLogic-Server-14.1.1.0.0-Local-File-Inclusion.html Exploit,Third Party Advisory,VDB Entry
https://www.oracle.com/security-alerts/cpujan2022.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21371, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Control

WebLogic Network Channel Filter

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities