CVE-2023-21996: Critical Vulnerability in Oracle WebLogic Server: Unauthenticated DoS Attack Possibility

A critical vulnerability (CVE-2023-21996) has been discovered in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services) that affects supported versions 12.2.1.3., 12.2.1.4., and 14.1.1... This vulnerability enables an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server, possibly resulting in unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of Oracle WebLogic Server. The CVSS 3.1 Base Score for this vulnerability is 7.5 (Availability impacts) with a CVSS Vector of (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Exploit Details

This vulnerability allows an unauthenticated attacker to make use of a weakness in the Web Services component of the Oracle WebLogic Server. By making HTTP requests containing maliciously crafted XML elements, the attacker can trigger a DoS attack on the server.

According to the official Oracle advisory, this vulnerability affects the following Oracle WebLogic Server versions:

14.1.1..

To exploit this vulnerability, an attacker could use a simple HTTP client to send a POST request with specially-crafted XML data to an exposed WebLogic Server endpoint that's running the vulnerable Web Services component.

Example of code snipplet

import requests

target_url = "http://<target-ip>:<port>/ws-uri";
malicious_xml = """<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; ... </soapenv:Envelope>"""

headers = {
    'Content-Type': 'text/xml'
}
response = requests.post(target_url, data=malicious_xml, headers=headers)

By successfully making such HTTP requests, the attacker can cause the Oracle WebLogic Server instance to crash, resulting in a DoS (Denial of Service) situation that affects legitimate users and services.

Oracle has released patches to address this vulnerability

- For version 12.2.1.3.: Oracle Security Alert for CVE-2023-21996
- For version 12.2.1.4.: Oracle Critical Patch Update - October 2023
- For version 14.1.1..: Oracle Security Alert for CVE-2023-21996

It is highly recommended to apply the appropriate patches as soon as possible to protect your Oracle WebLogic Server instances from being exploited.

Conclusion

CVE-2023-21996 is a critical vulnerability that affects Oracle WebLogic Server. It is essential to update affected installations as soon as possible to minimize the potential impact from attackers. By following the mitigation steps provided and staying informed about the latest security vulnerabilities and updates, you can help ensure the security and availability of your services.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/19/2023 19:40:00 UTC