Remote Code Execution Vulnerability in Oracle WebLogic Server

CVE-2024-21006

7.5HIGH

Key Information

Vendor
Oracle
Status
Weblogic Server
Vendor
CVE Published:
16 April 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

Summary

CVE-2024-21006 is a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware, affecting supported versions 12.2.1.4.0 and 14.1.1.0.0. It allows unauthenticated attackers to compromise the server and gain unauthorized access to critical data. The vulnerability is easily exploitable and has a CVSS 3.1 Base Score of 7.5, indicating its significant impact. There are no known exploitations in the wild by ransomware groups at this time. However, affected users should take measures to address this vulnerability as soon as possible to prevent potential unauthorized data access.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-21006_jar
Created by lightr3d

News Articles

favicon imageSANS Internet Storm Center

SANS ISC Stormcast: Daily Network Security News Summary; Cyber Security Podcast

Daily Cyber Security News Podcast, Author: Dr. Johannes B. Ullrich

8 months ago

favicon imageSpreaker

ISC StormCast for Wednesday, May 8th, 2024

Detecting XFinity/Comcast DNS Spoofing https://isc.sans.edu/diary/Detecting%20XFinity%20Comcast%20DNS%20Spoofing/30898 Weblogic PoC CVE-2024-21006 https://pwnull.github.io/2024/oracle%20weblogic%20CVE-2024-21006%20Double-JNDInjection%20RCE%20analyze/ https://github.com/momika233/CVE-2024-21006 PDF...

8 months ago

favicon imageNSFocus

CVE-2024-21006 Archives - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

WebLogic T3/IIOP Information Disclosure Vulnerability (CVE-2024-21006/CVE-2024-21007) April 18, 2024 Overview Recently, NSFOCUS CERT detected that Oracle has released a security announcement and fixed...

8 months ago

References

https://www.oracle.com/security-alerts/cpuapr2024.html

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by NSFocus

  • Vulnerability published

Collectors

NVD Database1 Proof of Concept(s)3 News Article(s)
.