CVE-2022-21347 - Easily Exploitable Vulnerability in Oracle WebLogic Server (T3 Protocol)

Oracle WebLogic Server is at the heart of many enterprise Java apps, powering everything from business portals to banking software. But with its popularity comes risk: in this post, we'll dive deep into CVE-2022-21347, a serious vulnerability affecting several supported versions of WebLogic Server. You'll learn what makes this bug so dangerous, how an attack could work, and how to protect your systems.

What Is CVE-2022-21347?

CVE-2022-21347 is an easily exploitable vulnerability in the "Core" component of Oracle WebLogic Server. It affects these versions:

Attack Complexity: Low

- Impacts: Allows update/insert/delete access to some server data and can cause partial denial of service (partial DOS)

CVSS Score: 6.5 (Medium)

This means that anyone who can reach the server on the network does not need credentials to launch an attack.

You can find the original security advisory from Oracle here

- Oracle Critical Patch Update Advisory - January 2022

Here’s Oracle’s note on CVE-2022-21347 in the National Vulnerability Database (NVD).

Exploit Details: How the Attack Works

The vulnerability lies in how WebLogic Server handles T3 protocol traffic. T3 is a proprietary protocol used for communication between WebLogic clients and servers. If an attacker sends a specially crafted T3 message, they can gain unwanted abilities like modifying data or crashing the service.

Example: How a Hacker Could Exploit It

An attacker on the same network or with access to port 7001 (the default WebLogic T3 port) could send malicious serialized Java objects that the server does not properly validate or filter.

Here’s a simplified snippet (for educational purposes) using the popular ysoserial tool to craft an exploit payload. *Do not use this code against systems you do not own.*

# Example: Generate a malicious payload with ysoserial
java -jar ysoserial.jar CommonsCollections1 "touch /tmp/pwned" > payload.ser

# Example: Send the payload to the WebLogic T3 port (pseudo-code)
python3 -c "
import socket
with socket.create_connection(('TARGET_IP', 7001)) as sock:
    payload = open('payload.ser', 'rb').read()
    # send T3 handshake and payload (details omitted for brevity)
    sock.sendall(your_handshake_bytes + payload)
"

*Note: Real-world exploits are more involved, but this highlights the basic workflow.*

Proof-of-Concept References

- Rapid7 Analysis of WebLogic T3 Vulnerabilities
- PoC from Github for similar T3 vulnerabilities

Important Security Recommendations

- Patch Now: Apply Oracle’s January 2022 Critical Patch Update or later for the affected versions.
- Restrict Access: Only allow trusted hosts/network segments to reach the WebLogic T3 port. (Default is 7001, but check your config.)

Wrapping Up

CVE-2022-21347 is yet another reminder that middleware like Oracle WebLogic can be a weak link if left unpatched or exposed. Attackers don’t need credentials. If they can reach your server’s T3 port, they can potentially disrupt your business or manipulate data.

Further Reading

- Oracle CPU Alert – Jan 2022
- NVD Entry for CVE-2022-21347
- WebLogic Official Documentation

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 18:52:00 UTC