Oracle WebLogic Server Vulnerability (CVE-2021-2109) Results in Complete Server Takeover

[post-views]
February 09, 2021 · 2 min read
Oracle WebLogic Server Vulnerability (CVE-2021-2109) Results in Complete Server Takeover

A high-severity remote code execution issue in Oracle Fusion Middleware Console enables full Oracle WebLogic Server compromise.

New Oracle WebLogic Server Vulnerability

The flaw allows an authenticated actor with high privileges to misuse the “JndiBinding” Handler and launch a JNDI (Java Naming and Direction Interface) injection. This, in turn, enables retrieving and deserialization of a malicious class from the server under the attacker’s control, which results in arbitrary code execution on the Oracle WebLogic Server.

Although the exploitation routine requires authentication, the attacker might overcome this obstacle by leveraging a directory traversal method related to the previously uncovered remote code execution in WebLogic Server (CVE-2020-14882). As a result, CVE-2021-2109 might be easily exploited by an unauthenticated hacker via a single HTTP request.

The vulnerability was assigned a 7.2 score according to CVSS Version 3.1, marking it as a high-severity bug. Notably, security holes in Oracle WebLogic Server quickly grab the attention of threat actors, increasing the chances of CVE-2021-2109 being exploited in the wild.

The vulnerability was reported to Oracle on November 19, 2020, by the Alibaba Cloud Security research group and patched by the vendor on January 20, 2021. The proof of concept exploits (both for authenticated and unauthenticated attackers) was released in January 2021.

The bug affects the following supported versions of Oracle WebLogic Server: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Users are urged to patch ASAP to prevent possible exploitation attempts.

CVE-2021-2109 Detection

To detect the malicious activity associated with the new Oracle WebLogic Server bug (CVE-2021-2109), you might apply a Sigma rule developed by SOC Prime Threat Bounty developer Emir Erdogan

https://tdm.socprime.com/tdm/info/yY5BqZlgeBNl/JdjQcncBR-lx4sDxsiba/

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, RSA NetWitness, FireEye Helix, Humio, Graylog, LogPoint

EDR: Carbon Black

MITRE ATT&CK:

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

Sign up to the Threat Detection Marketplace for free to reach the 90,000+ curated SOC content library. Over 300 contributors from 70 countries enrich the library each day so that security performers might detect the most alarming cyber threats at the earliest stages of the attack lifecycle. Have a desire to participate in threat hunting activities and develop your own detection rules? Join our Threat Bounty program and get rewarded for your input.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts