Login Sign Up

CVE-2023-21979

7.5 HIGH

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via the T3 protocol to gain unauthorized access to sensitive data. It affects WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, potentially exposing critical information.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Operating Systems: All supported OS for WebLogic Server
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is exploitable via the T3 protocol, which is enabled by default in WebLogic Server.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all accessible data on the WebLogic Server, leading to data exfiltration or further attacks.

🟠

Likely Case

Unauthorized access to confidential data stored or processed by the server.

🟢

If Mitigated

Limited or no impact if network access is restricted or patches are applied.

🌐 Internet-Facing: HIGH, as unauthenticated network access via T3 can be exploited remotely.
🏢 Internal Only: MEDIUM, assuming internal network controls reduce exposure, but risk remains if T3 is accessible.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is described as easily exploitable via T3, but no public proof-of-concept has been confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle's April 2023 Critical Patch Update (CPU).

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2023.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch to affected WebLogic Server instances. 3. Restart the server to activate the fix.

🔧 Temporary Workarounds

Block T3 Protocol Access

all

Restrict network access to the T3 protocol to prevent exploitation.

Use firewall rules to block inbound traffic on T3 ports (default 7001). Example: iptables -A INPUT -p tcp --dport 7001 -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to isolate WebLogic Server from untrusted networks.
  • Monitor and log T3 protocol access for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and compare with affected versions. Ensure T3 protocol is accessible.

Check Version:

On WebLogic Server, run: java weblogic.version

Verify Fix Applied:

Verify patch installation and confirm version is updated beyond affected ranges. Test T3 access to ensure it's blocked or patched.

📡 Detection & Monitoring

Log Indicators:

  • Unusual T3 protocol connections or access attempts in server logs.

Network Indicators:

  • Traffic on T3 ports (default 7001) from unauthorized sources.

SIEM Query:

Example: source="weblogic.log" AND "T3" AND ("unauthorized" OR "access")

📊 Metadata

CVE ID: CVE-2023-21979
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-306
Published: April 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21979, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)