cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Shalnev
F5 Employee
F5 Employee

Recently, a new critical update advisory was published by Oracle. One of the advisories is a fix for CVE-2021-2109 which affects WebLogic servers.

The vulnerability allows an authenticated user to abuse “JndiBinding" Handler and trigger a JNDI (Java Naming and Direction Interface) Lookup operation to fetch and deserialize a malicious class from an attacker’s controlled server. Deserialization of the malicious class  could result in an arbitrary code execution on the WebLogic server. 

A day after the patch was released, a POC was published by a researcher from Alibaba Cloud research group who originally reported this vulnerability to Oracle.

Usually, remote code execution vulnerabilities in WebLogic servers quickly capture the attention of threat actors  who rapidly adopt them as part of their arsenal; integrating them into their operations.

The vulnerability can be exploited using a single  HTTP Request:0151T000003q9STQAY.png

Figure 1: Proof of concept HTTP request exploit for CVE-2021-2109

 

This vulnerability requires the attacker to be authenticated first. To overcome that, it could be combined with the directory traversal method used in the previously published remote code execution in WebLogic console (CVE-2020-14882) which allowed unauthenticated access, while proof of concepts are already available:0151T000003q9T6QAI.png

Figure 2: Proof of concept exploit combining CVE-2021-2109 and CVE-2020-14882

 

Mitigation with BIG-IP Аdvanced WAF (Attack Signatures and Threat Campaigns)

Advanced WAF customers under any supported version could be protected with the newly released attack signature 200104674 (Oracle WebLogic Console JNDI Injection) which could be found under Server-Side Code Injection attack type signatures.

0151T000003q9UYQAY.png

Figure 3: Exploit attempt blocked by signature id 200104674

 

Customers with the Threat Campaigns license subscription could be also protected by newly released “Oracle WebLogic Console JndiBindingHandler RCE” Threat Campaign.

0151T000003q9UdQAI.png

Figure 4: Exploit attempt blocked by “Oracle WebLogic Console JndiBindingHandler RCE” Threat Campaign.

Version history
Last update:
‎21-Jan-2021 10:35
Updated by:
Contributors