CVE-2024-21216 – This vulnerability in Oracle WebLogic Server al... (How to Fix)

Q: What is the severity of CVE-2024-21216?

CVE-2024-21216 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via T3 or IIOP protocols to fully compromise the server, leading to complete takeover. It affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, posing a critical risk to systems running these versions.

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via T3 or IIOP protocols to fully compromise the server, leading to complete takeover. It affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, posing a critical risk to systems running these versions.

💻 Affected Systems

Products:

Oracle WebLogic Server

Versions: 12.2.1.4.0 and 14.1.1.0.0

Operating Systems: All supported OS for WebLogic Server

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable if T3 or IIOP protocols are enabled, which is common in default configurations.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise resulting in data theft, system manipulation, and denial of service.

🟠

Likely Case

Remote code execution leading to unauthorized access and control over the WebLogic Server.

🟢

If Mitigated

Limited impact if network access is restricted or protocols are disabled, but still high risk if exposed.

🌐 Internet-Facing: HIGH due to unauthenticated network access and high CVSS score.

🏢 Internal Only: HIGH as internal attackers can exploit it without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Easily exploitable per CVSS, but no public proof-of-concept confirmed as of now.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update October 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2024.html

Restart Required: Yes

Instructions:

1. Download the patch from Oracle Support. 2. Apply the patch to affected WebLogic Server instances. 3. Restart the server to complete the installation.

🔧 Temporary Workarounds

Disable T3 and IIOP Protocols

all

Block or disable T3 and IIOP network access to reduce attack surface.

Configure firewall rules to block ports for T3 (default 7001) and IIOP (default 900).
Modify WebLogic Server configuration to disable these protocols if not needed.

🧯 If You Can't Patch

Restrict network access to WebLogic Server using firewalls or network segmentation.
Monitor logs and network traffic for unusual T3/IIOP activity and implement intrusion detection.

🔍 How to Verify

Check if Vulnerable:

Check WebLogic Server version and if T3/IIOP protocols are enabled in configuration.

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch installation by checking version and ensuring no vulnerabilities from the advisory remain.

📡 Detection & Monitoring

Log Indicators:

Unusual T3 or IIOP connection attempts in server logs.
Errors or anomalies in WebLogic Server logs post-exploit.

Network Indicators:

Suspicious traffic on T3 (port 7001) or IIOP (port 900) protocols.
Unexpected network connections to WebLogic Server.

SIEM Query:

Example: search for 'WebLogic' AND ('T3' OR 'IIOP') in network or server logs.

📊 Metadata

CVE ID: CVE-2024-21216

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: October 15, 2024

Last Updated: October 18, 2024

🔗 References

https://www.oracle.com/security-alerts/cpuoct2024.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21216, you might also want to check these: