Overview
On July 21, 2021, NSFOCUS detected that Oracle released the April 2021 Critical Patch Update (CPU), which fixed 342 vulnerabilities of varying risk levels. Among these vulnerabilities, three severe ones are easy to exploit to affect WebLogic. Users are advised to take measures without delay to protect against the preceding vulnerabilities.
CVE-2021-2382/CVE-2021-2394/CVE-2021-2397: These vulnerabilities allow unauthenticated attackers to execute arbitrary code on the target server by sending maliciously crafted T3 or IIOP requests. The vulnerabilities are assigned a CVSS Base Score of 9.8.
CVE-2021-2376/CVE-2021-2378: These vulnerabilities allow unauthenticated attackers to cause the target server to hang or crash by sending maliciously crafted T3 or IIOP requests. The vulnerabilities are assigned a CVSS Base Score of 7.5.
CVE-2015-0254: This vulnerability exists in Apache Standard Taglibs. When using the <x:parse> or <x:transform> tag to handle untrusted XML documents, Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in the <x:parse> or <x:transform> tag. This vulnerability has a CVSS Base Score of 7.3.
CVE-2021-2403: This vulnerability allows unauthenticated attackers to access certain data on the target server without authorization by sending malicious requests via HTTP. This vulnerability has a CVSS Base Score of 5.3.
Reference link:
https://www.oracle.com/security-alerts/cpujul2021.html#AppendixFMW
Scope of Impact
Affected Versions
- WebLogic Server 10.3.6.0.0
- WebLogic Server 12.1.3.0.0
- WebLogic Server 12.2.1.3.0
- WebLogic Server 12.2.1.4.0
- WebLogic Server 14.1.1.0.0
Check for the Vulnerability
1. Local Check
Run the following commands to view the WebLogic version and installed patches:
$ cd /Oracle/Middleware/wlserver_10.3/server/lib
$ java -cp weblogic.jar weblogic.version
The command output below shows that WebLogic has no patch installed and thus is at risk.
2. Detection via the T3 Protocol
Nmap provides a scanning script for the WebLogic T3 protocol and can detect the WebLogic host with the T3 service enabled. The command is as follows:
nmap -n -v -Pn –sV [host or network segment address] -p (default) 7001,7002
–script=weblogic-t3-info.nse
As shown in the red box in the following figure, when the T3 protocol is enabled on the target and the current WebLogic version is vulnerable, if official patches fail to be installed, the target is vulnerable.
Mitigation
1. Patch Update
Oracle has released patches to fix these vulnerabilities. Affected users should visit the official security advisory link to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.
Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.
2. Workaround
If users cannot install patches for the time being, they can adopt the following mitigation measures:
2.1 Restricting Access to the T3 Protocol
Users can, through T3 access control, block attacks based on this vulnerability in the T3 protocol. WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl. This filter accepts all inbound connections. Users are advised to configure a rule through this filter to control access to T3 and T3S protocols. The detailed procedure as follows:
1. Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
2. Type weblogic.security.net.ConnectionFilterImpl in the Connection Filter field and configure connection filter rules as required in the Connection Filter Rules field. Rule formats are as follows:
127.0.0.1 * * allow t3 t3s
Local IP * * allow t3 t3s
Allowed IP * * allow t3 t3s
* * * deny t3 t3s
Connection filter rules should be provided in the format of “target localAddress localPort action protocols”, where
- target indicates one or more servers to be filtered.
- localAddress specifies the host address of the server. (An asterisk (*) indicates all local IP addresses.)
- localPort specifies the port that the server is listening on. (An asterisk (*) indicates all ports available on the server.)
- action specifies the action to be taken. (The value must be allow or deny.)
- protocols specifies the protocols to be filtered. (The value must be http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is specified, all protocols will be filtered.
3. Click Save to make the rules take effect. If rules do not take effect, users are advised to restart the WebLogic service. It should be noted that restarting the WebLogic service will cause the service interruption for a short while, and therefore users need to ask related personnel to evaluate the service impact before this operation. Here, the Windows environment is used as an example to describe how to restart the WebLogic service. The procedure is as follows:
Navigate to the bin directory under the domain directory, and run the stopWebLogic.cmd file to terminate the WebLogic service in the Windows system, and run the stopWebLogic.sh file in the Linux system.
After the termination script is executed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic to complete the restart of the WebLogic service.
2.2 Disabling the IIOP Protocol
To block attacks that exploit vulnerabilities in the IIOP protocol, users can disable the protocol by following these steps:
Access the administration console of WebLogic Server, choose Services > AdminServer > Protocol, deselect Enable IIOP, and restart the WebLogic Server to make the setting take effect.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
