Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”

On May 1, 2023 the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

This means that Federal Civilian Executive Branch (FCEB) agencies are obliged to remediate the vulnerabilities by May 22, 2023. For the rest of us it means “pay attention,” everyone else with a vulnerable entity should do this as fast as possible too.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added by CISA were:

  • CVE-2023-1389 is a vulnerability in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Affected versions contain a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
  • CVE-2021-45046 is a very old Apache Log4j2 deserialization of untrusted data vulnerability that still works on enough unpatched servers to be listed.
  • CVE-2023-21839 affects Oracle WebLogic Server. It can lead to an unauthenticated attacker with network access gaining unauthorized access to “critical data or complete access to all Oracle WebLogic Server accessible data.”

We would like to zoom in on that last vulnerability for a few reasons.

  • First of all because Oracle WebLogic is a very wide-spread java application server and has always been a popular entrance to networks for cybercriminals.
  • The vulnerability is easily exploitable. Even for copycats, since there are proof-of-concepts (PoCs) available and exploits are incorporated in pen-testing tools.
  • The scope of the vulnerability. There is a real risk that a remote, unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware, and turn to the rest of the internal network.

Oracle WebLogic Suite is an application server for building and deploying enterprise Java EE applications which is fully supported on Kubernetes. That makes it easy to use on-premises or in the cloud. The companies using Oracle WebLogic are most often found in United States and in the Information Technology and Services industry.

In Oracle’s January security advisory you will notice that five researchers are credited with finding and reporting CVE-2023-21839. This may be due to the fact that Oracle issues patches in a quarterly cycle, where many others publish updates monthly. This means that researchers have more time to find new vulnerabilities, but they also have to keep quiet about them for longer. Nevertheless, five separate instances could indicate that this vulnerability was not hard to find.

What’s even worse is that it is easy to exploit the vulnerability. The published exploits target the Listen Port for the Administration Server. The protocol used with this port is T3—Oracle’s proprietary Remote Method Invocation (RMI) protocol, which transfers information between WebLogic servers and other Java programs. An unauthorized attacker with remote access can send a crafted request to a vulnerable WebLogic server and upload a file via an LDAP server. Basically allowing the attacker to execute reverse shells on the target. A reverse shell or “connect-back” shell opens communications with the attacker and allows them to execute commands, which enables them to take control of the system.

Update now

Affected versions of Oracle WebLogic Server are 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. A patch for this vulnerability is available on the Oracle support site for those that have an Oracle account.

Oracle always strongly recommends that you do not expose non-HTTPS traffic (T3/T3s/LDAP/IIOP/IIOPs) outside of the external firewall. You can control this access using a combination of network channels and firewalls.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

https://blog.malwarebytes.com/feed/