Vulnerability Description
On April 21, 2021, NSFOCUS detected that Oracle released the April 2021 Critical Patch Update (CPU), which fixed 400 vulnerabilities of varying risk levels. Seven of these vulnerabilities are severe and easy to exploit and affect WebLogic. Users are advised to take measures without delay to protect against the preceding vulnerabilities.
CVE-2021-2135: This vulnerability allows unauthenticated attackers to execute arbitrary code on the target server by sending maliciously crafted T3 or IIOP requests, with a CVSS Base Score of 9.8.
CVE-2021-2136: This vulnerability allows unauthenticated attackers to execute arbitrary code on the target server by sending maliciously crafted IIOP requests, with a CVSS Base Score of 9.8.
CVE-2021-2157: This vulnerability allows unauthenticated attackers to access critical data of the target server without authorization by sending malicious requests via HTTP, with a CVSS Base Score of 7.5.
CVE-2021-2211: An XML external entity (XXE) vulnerability exists on the recalling chain of the readExternal method in weblogic.wsee.security.wssc.sct.SCCredential.class of Weblogic.jar. Unauthenticated attackers could exploit this vulnerability to remotely obtain sensitive information from the target server. Currently, vulnerability details have been made publicly available. Relevant users are advised to take protective measures as soon as possible.
Reference link:
https://www.oracle.com/security-alerts/cpuapr2021.html
Scope of Impact
Affected Versions
- WebLogic Server 10.3.6.0.0
- WebLogic Server 12.1.3.0.0
- WebLogic Server 12.2.1.3.0
- WebLogic Server 12.2.1.4.0
- WebLogic Server 14.1.1.0.0
Check for the Vulnerability
3.1 Local Check
Run the following commands to view the WebLogic version and installed patches.
$ cd /Oracle/Middleware/wlserver_10.3/server/lib
$ java -cp weblogic.jar weblogic.version
The command output below shows that WebLogic has no patch installed and thus is at risk.
3.2 Detection via the T3 Protocol
Nmap provides a scanning script for the Weblogic T3 protocol and can detect the Weblogic host enabling T3 services. The command is as follows:
nmap -n -v -Pn –sV [host or network segment address] -p7001,7002 –script=weblogic-t3-info.nse
As shown in the red box in the following figure, when the target enables the T3 protocol and the current WebLogic version is affected, if official patches fail to be installed, the target is vulnerable.
Mitigation
4.1 Patch Update
Oracle has released patches to fix these vulnerabilities. Affected users should visit the official security advisory link to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.
Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.
4.2 Workaround
If users cannot install patches for the time being, they can adopt the following mitigation measures:
4.2.1 Restricting Access to the T3 Protocol
Users can block attacks based on this vulnerability in the T3 protocol, by controlling T3 access. WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl. This filter accepts all inbound connections. It is advisable to configure a rule through this filter to control T3 and T3S access. Detailed steps are as follows:
Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
Type weblogic.security.net.ConnectionFilterImpl in the Connection Filter field and configure connection filter rules as required in the Connection Filter Rules field. Rule formats are as follows:
127.0.0.1 * * allow t3 t3s
IP address of the host ** allow t3 t3s
Allowed IP address* * allow t3 t3s * * * deny t3 t3s
Connection filter rules should be provided in the format of “target localAddress localPort action protocols”, where
- target indicates one or more servers to be filtered.
- localAddress specifies the host address of the server. (An asterisk (*) indicates all local IP addresses.))
- localPort specifies the port that the server is listening on. (An asterisk (*) indicates all ports available on the server.)
- action specifies the action to be taken. (The value must be allow or deny.))
- protocols specifies the protocols to be filtered. (The value must be http, https, t3, t3s, giop, giops, dcom, and/or ftp.) If no protocol is specified, all protocols will be filtered.
Click Save to make the rules take effect. If rules do not take effect, you are advised to restart the WebLogic service. It should be noted that restarting the WebLogic service will cause the service interruption for a short while, and therefore you need to ask related personnel to evaluate the service impact before this operation. To restart the WebLogic service in the Windows environment, follow these steps:
Navigate to the bin directory under the domain directory, and run the stopWebLogic.cmd file to terminate the WebLogic service in the Windows system, and run the stopWebLogic.sh file in the Linux system.
After the execution of the termination script is completed, run the startWebLogic.cmd or startWebLogic.sh file to start Weblogic to complete the restart of the Weblogic service.
4.2.2 Disabling the IIOP Protocol
Users can block attacks that exploit vulnerabilities via the IIOP protocol by disabling the protocol. To disable the IIOP protocol, follow these steps:
Access the administration console of WebLogic Server, choose Services > AdminServer > Protocol, deselect Enable IIOP, and restart the WebLogic Server to make the setting take effect.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.