Service Notices
Oracle WebLogic Remote Code Execution Vulnerabilities
Jul 22, 2021 GMT+08:00
I. Overview
Oracle officially released the security patch update notice for Q3 2021 and disclosed security vulnerabilities in multiple products, including seven WebLogic vulnerabilities (CVE-2021-2394, CVE-2021-2397, CVE-2021-2382, CVE-2021-2378, CVE-2021-2376, CVE-2015-0254, and CVE-2021-2403). The high-risk vulnerabilities CVE-2021-2394, CVE-2021-2397, and CVE-2021-2382 are related to the IIOP and T3 protocols. Attackers can construct malicious requests to remotely execute code.
If you are using WebLogic and other Oracle products, check your services and implement timely security hardening.
Reference: Oracle Critical Patch Update Advisory - July 2021
The Oracle quarterly security update fixes 342 security vulnerabilities, including those in Oracle WebLogic, Oracle WebCenter Portal, Oracle BI Publisher, and Oracle Data Integrator. For details about the vulnerabilities, see the official website.
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. WebLogic Vulnerability Details
CVE ID | Affected Component | Severity | Affected Version |
CVE-2021-2394 | Core | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2021-2397 | Core | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2021-2382 | Security | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2021-2378 | Core | Moderate | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2021-2376 | Web Services | Moderate | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2015-0254 | Third Party Tools (Apache Standard Taglibs) | Moderate | 10.3.6.0.0, 12.1.3.0.0 |
CVE-2021-2403 | Core | Minor | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
(Note: Vulnerabilities listed above are WebLogic vulnerabilities. For more information, see the official website of Oracle.)
IV. Affected Products and Components
Oracle WebLogic, Oracle WebCenter Portal, Oracle BI Publisher, and Oracle Data Integrator
V. Security Recommendations
These vulnerabilities have been fixed in the official patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.
If you cannot install the patch in a timely manner, mitigate risks based on the repair suggestions provided by Oracle. Disable the network protocols or permissions that will probably be exploited by attacks.
You can disable the T3 and IIOP protocols to mitigate the risks incurred by WebLogic high-risk vulnerabilities CVE-2021-2394, CVE-2021-2397 and CVE-2021-2382.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.