Login Sign Up

CVE-2023-21996

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers to cause a denial of service (DoS) by crashing or hanging the server via HTTP requests. It affects WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Organizations running these versions with Web Services component exposed are at risk.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Web Services component. All deployments with this component enabled are vulnerable.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Oracle WebLogic Server, disrupting all dependent applications and services.

🟠

Likely Case

Service disruption causing application downtime and business impact.

🟢

If Mitigated

Limited impact if proper network segmentation and DoS protections are in place.

🌐 Internet-Facing: HIGH - Unauthenticated network access via HTTP makes internet-facing instances highly vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Oracle describes it as 'easily exploitable' with no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update April 2023

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2023.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches following Oracle's patch deployment procedures. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Control

all

Restrict HTTP access to WebLogic Server to trusted networks only

Configure firewall rules to limit inbound HTTP/HTTPS traffic

Load Balancer Protection

all

Implement rate limiting and DoS protection at load balancer

Configure rate limiting rules on load balancer/firewall

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access
  • Deploy Web Application Firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and verify if running affected versions: 12.2.1.3.0, 12.2.1.4.0, or 14.1.1.0.0

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application through Oracle OPatch utility and confirm version is no longer vulnerable

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP request patterns
  • Server crash/hang events in logs
  • Increased error rates

Network Indicators:

  • Spike in HTTP requests to WebLogic endpoints
  • Unusual traffic patterns from single sources

SIEM Query:

source="weblogic" AND (event_type="crash" OR event_type="hang" OR error_count > threshold)

📊 Metadata

CVE ID: CVE-2023-21996
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21996, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)