CVE-2024-21006 – This vulnerability in Oracle WebLogic Server al... (How to Fix)

Q: What is the severity of CVE-2024-21006?

CVE-2024-21006 has a CVSS score of 7.5 (HIGH). This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via T3 or IIOP protocols to access sensitive data. It affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, potentially exposing confidential information to remote attackers.

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via T3 or IIOP protocols to access sensitive data. It affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, potentially exposing confidential information to remote attackers.

💻 Affected Systems

Products:

Oracle WebLogic Server

Versions: 12.2.1.4.0 and 14.1.1.0.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires T3 or IIOP protocol access, which are enabled by default in WebLogic Server.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all accessible data on the WebLogic Server, including sensitive application data, configuration files, and credentials.

🟠

Likely Case

Unauthorized access to sensitive application data and configuration information stored on the server.

🟢

If Mitigated

Limited or no data exposure if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Oracle describes this as 'easily exploitable' and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update April 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches following Oracle's patch installation procedures. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Disable T3/IIOP Protocols

all

Block or disable T3 and IIOP protocols to prevent exploitation

Configure WebLogic Server to disable T3 and IIOP protocols in server configuration

Network Segmentation

all

Restrict network access to WebLogic Server T3/IIOP ports

Configure firewall rules to block external access to T3 (default port 7001) and IIOP ports

🧯 If You Can't Patch

Implement strict network access controls to limit T3/IIOP traffic to trusted sources only
Monitor for unusual access patterns to WebLogic Server T3/IIOP ports

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and verify if running affected versions 12.2.1.4.0 or 14.1.1.0.0

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application through Oracle patch verification tools and confirm version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual T3 or IIOP protocol access from unauthorized sources
Failed authentication attempts followed by data access

Network Indicators:

Unexpected T3/IIOP traffic to WebLogic Server from external networks
Data exfiltration patterns from WebLogic Server

SIEM Query:

source_port:7001 AND (protocol:T3 OR protocol:IIOP) AND NOT src_ip IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2024-21006

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

Published: April 16, 2024

Last Updated: March 18, 2025

🔗 References

https://www.oracle.com/security-alerts/cpuapr2024.html Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2024.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21006, you might also want to check these: