WebLogic Multiple Remote Code Execution Vulnerabilities Threat Alert

WebLogic Multiple Remote Code Execution Vulnerabilities Threat Alert

January 22, 2021 | Mina Hao

Vulnerability Description

On January 20, 2021, NSFOCUS detected that Oracle released the January 2021 Critical Patch Update (CPU), which fixed 329 vulnerabilities of varying risk levels. Seven of these vulnerabilities are severe and assigned CVE-2021-1994, CVE-2021-2047, CVE-2021-2064, CVE-2021-2108, CVE-2021-2075, CVE-2019-17195, and CVE-2020-14756. Unauthenticated attackers could exploit these vulnerabilities to execute code remotely. These vulnerabilities are assigned a CVSS Base Score of 9.8 and are easy to exploit. Users are advised to take measures without delay to protect against the preceding vulnerabilities.

A WebLogic Server remote code execution vulnerability (CVE-2021-2109) exists in the console of the WebLogic Server, with a CVSS Base Score of 7.2. Authenticated attackers could remotely execute commands or code via JNDI injection attacks. Currently, the proof of concept (PoC) has been made publicly available. Affected users are advised to fix the vulnerability as soon as possible.

NSFOCUS reproduced the vulnerability immediately after CVE-2021-2109 was listed it as a new entry:

Reference link:

https://www.oracle.com/security-alerts/cpujan2021.html

Scope of Impact

Affected Versions

  • Weblogic Server 10.3.6.0.0
  • Weblogic Server 12.1.3.0.0
  • Weblogic Server 12.2.1.3.0
  • Weblogic Server 12.2.1.4.0
  • Weblogic Server 14.1.1.0.0
  • Check for the Vulnerabilities
  • Local Check

Run the following commands to view the WebLogic version and installed patches.

$ cd /Oracle/Middleware/wlserver_10.3/server/lib $ java -cp weblogic.jar weblogic.version

The command output below shows that WebLogic has no patch installed and thus is at risk.

  • Detection via the T3 Protocol

Nmap provides a scanning script for the WebLogic T3 protocol. For the vulnerabilities assigned CVE-2020-14825 and CVE-2020-14859, it can detect the WebLogic host enabling T3 services. Following is the information about the related command.

nmap -n -v -Pn –sV [host or network segment address] -p7001,7002 –script=weblogic-t3-info.nse

As shown in the red box in the figure below, when the target has the T3 protocol enabled and the WebLogic version is within the affected range, there is a security risk.

Mitigation

  • Patch Update

Oracle has released patches to fix these vulnerabilities. Affected users should visit the official security advisory link to download related patches as soon as possible and apply them as indicated in the readme file to ensure long-term effective protection.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patches.

  • Workarounds

If users cannot install patches for the time being, they can adopt the following temporary measures to protect against the vulnerabilities (CVE-2021-2047, CVE-2021-2064, CVE-2021-2108, CVE-2021-2075, CVE-2020-14756).

  •  Restricting Access to the T3 Protocol

Users can temporarily block attacks that exploit vulnerabilities via the T3 protocol by controlling access to the protocol. WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl. This filter accepts all inbound connections. It is advisable to configure a rule through this filter to control access to T3 and T3S protocols. To control access to T3 and T3S protocols, follow these steps:

  1. Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
  2. Type weblogic.security.net.ConnectionFilterImpl in the Connection Filter field and configure connection filter rules as required in the Connection Filter Rules field. Rule formats are as follows:
127.0.0.1 * * allow t3 t3s Local IP * * allow t3 t3s Allowed IP * * allow t3 t3s   * * * deny t3 t3s
Connection filter rules should be provided in the format of “target localAddress localPort action protocols”, where target indicates one or more servers to be filtered.localAddress specifies the host address of the server. (An asterisk (*) indicates all local IP addresses.)localPort specifies the port that the server is listening on. (An asterisk (*) indicates all ports available on the server.)action specifies the action to be taken. (The value must be allow or deny.) protocols specifies the protocols to be filtered. (The value must be http, https, t3, t3s, giop, giops, dcom, and/or ftp.) If no protocol is specified, all protocols will be filtered.
  • Click Save to make the rules take effect. If rules do not take effect, you are advised to restart the WebLogic service. It should be noted that restarting the WebLogic service will cause the service interruption for a short while, and therefore you need to ask related personnel to evaluate the service impact before this operation. To restart the WebLogic service in the Windows environment, follow these steps:
  • Navigate to the bin directory under the domain directory, and run the stopWebLogic.cmd file to terminate the WebLogic service in the Windows system, and run the stopWebLogic.sh file in the Linux system.
  • After the execution of the termination script is completed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic to complete the restart of the WebLogic service.

If WebLogic cannot be started after the connection filter is configured according to the preceding steps, please refer to “Appendix A: WebLogic Service Recovery” to resume business in time.

  • Disabling the IIOP Protocol

Users can block attacks that exploit vulnerabilities via the IIOP protocol by disabling the protocol. To disable the IIOP protocol, follow these steps:

Access the administration console of WebLogic Server, choose Services > AdminServer > Protocol, deselect Enable IIOP, and restart the WebLogic Server to make the setting take effect.

Appendix A: WebLogic Service Recovery

  • Recovery via the Console

Before restarting services, access the administration console of WebLogic Server to delete relevant settings by following these steps:

  1. Choose base_domain > Security > Browser.
  2. Clear the previous settings and click Save.
  3. Click View Changes and Restarts to open Restart Checklist, select AdminServer, and click Restart.
  4. Recovery via the Configuration File

After the connection filter is configured, configuration information is saved in the \Oracle\Middleware\user_projects\domains\base_domain\config\config.xml file. Use a text editor to open the file and find the following contents to be deleted:

<connection-filter>weblogic.security.net.ConnectionFilterImpl</connection-filter> <connection-filter-rule>* * 7001 deny t3 t3s</connection-filter-rule>

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.