If you spend time tracking vulnerabilities, you might have come across CVE-2021-35684 linked to Oracle WebLogic Server. But if you try to dig into it, you’ll notice something curious—this CVE was officially rejected. What happened, and why does it matter? Let’s break it down in plain English, look at the surrounding context, and see what patching steps you should take.
What Was CVE-2021-35684?
At first, CVE-2021-35684 was published as a security issue affecting Oracle WebLogic Server. This server is a popular Java EE application server used for deploying applications and services. Any high-severity bug in it gets lots of attention—so the initial listings caused some concern in the security community.
Here is what you might have seen (paraphrased from Oracle advisories)
> _“Vulnerability in the Oracle WebLogic Server product could allow a remote attacker to compromise the server... remote code execution possible under specific conditions.”_
But soon after posting, the CVE was withdrawn. The reason? It’s a duplicate of another CVE.
The official wording from the CVE database
> _“REJECTED: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This was done for the following reason: Duplicate of CVE-2022-21306.”_
So, if you see CVE-2021-35684 in any old security advisories or tools, you should instead look at the details for the correct, valid CVE: CVE-2022-21306.
A Quick Look at CVE-2022-21306 (The “Real” Vulnerability)
CVE-2022-21306 affects the same Oracle WebLogic Server versions (10.3.6.., 12.1.3.., 12.2.1.3., 12.2.1.4., and 14.1.1..). This vulnerability is considered serious, with a CVSS base score of 7.7. It permits remote code execution if exploited by an authenticated attacker—meaning the attacker needs tested credentials to abuse the flaw.
You can read more on the NIST NVD entry or Oracle’s own advisory.
Exploit Example
Since CVE-2021-35684 is a duplicate, any proof of concept or exploit will be identical to CVE-2022-21306. While no public weaponized exploit code is available (as of this writing), here’s a simplified example of how an attacker might attempt to exploit similar flaws in a WebLogic deployment (for educational purposes only):
import requests
# WARNING: This is a conceptual example. Don't use against systems you do not own.
url = "https://TARGET-IP:7001/console/login/LoginForm.jsp";
payload = {
"j_username": "attacker",
"j_password": "PASSWORD",
# malicious data could go here, targeting vulnerable endpoints with crafted objects
}
with requests.Session() as s:
r = s.post(url, data=payload, verify=False)
print(r.text) # In a real attack, could escalate with further malicious requests
Note: Real-world exploitation would require more knowledge of the underlying bug and successful authentication.
What Should You Do?
If you find disclosures or vulnerability scans referring to CVE-2021-35684, it’s an old pointer to CVE-2022-21306. Here’s what you should do:
1. Update your references: Replace CVE-2021-35684 with CVE-2022-21306 in inventories, reports, and patch management dashboards.
2. Patch Oracle WebLogic: Review Oracle’s Critical Patch Update advisories and apply all relevant security patches for WebLogic Server versions you run.
3. Record-keeping: Update any incident response or threat-hunting playbooks to reference the correct CVE.
Original References
- CVE-2021-35684 Rejection Entry
- NVD Entry for CVE-2022-21306
- Oracle CPU January 2022 Advisory
Bottom Line
CVE-2021-35684 shouldn’t appear in your patch notes or vulnerability scans anymore—its details are now fully covered by CVE-2022-21306. Always verify suspected vulnerabilities directly from trusted sources, double-check for withdrawn or duplicate CVEs, and keep your systems patched.
Timeline
Published on: 01/16/2025 00:15:24 UTC