Login Sign Up

CVE-2022-21441

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-21441 is a denial-of-service vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to crash the server via T3/IIOP network protocols. Affected versions include 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 of Oracle WebLogic Server. This vulnerability impacts availability by causing server hangs or crashes.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires T3/IIOP protocol access; servers with these protocols disabled or blocked are less vulnerable.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with WebLogic Server becoming unresponsive, requiring manual restart and causing extended service disruption.

🟠

Likely Case

Server crashes or hangs requiring restart, causing temporary service unavailability.

🟢

If Mitigated

No impact if T3/IIOP protocols are blocked or if the server is patched.

🌐 Internet-Facing: HIGH - Unauthenticated network access via T3/IIOP makes internet-facing servers particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but require network access to T3/IIOP ports.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes this as 'easily exploitable' with unauthenticated network access via T3/IIOP protocols.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update Advisory - April 2022

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches according to Oracle documentation. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Block T3/IIOP Protocols

linux

Restrict network access to T3 (port 7001) and IIOP (port 7002) protocols using firewalls or network security groups.

iptables -A INPUT -p tcp --dport 7001 -j DROP
iptables -A INPUT -p tcp --dport 7002 -j DROP

Disable T3 Protocol

all

Configure WebLogic Server to disable T3 protocol if not required.

Modify config.xml to set EnableT3Protocol=false

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to WebLogic Server T3/IIOP ports
  • Deploy Web Application Firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and compare with affected versions list.

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application through Oracle OPatch utility and confirm version is no longer in affected range.

📡 Detection & Monitoring

Log Indicators:

  • Multiple connection attempts to T3/IIOP ports followed by server crash/hang
  • OutOfMemory errors or thread dump patterns

Network Indicators:

  • Unusual traffic patterns to port 7001/7002 from untrusted sources
  • Multiple rapid connections to T3/IIOP endpoints

SIEM Query:

source_port=7001 OR source_port=7002 AND (event_type=connection_attempt OR event_type=dos_attack)

📊 Metadata

CVE ID: CVE-2022-21441
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON