A critical vulnerability has been found in Oracle WebLogic Server, allowing attackers to exploit a secondary JNDI injection flaw and gain full control over the affected system. Tracked as CVE-2024-20931 and CVE-2024-21006, this vulnerability enables attackers to execute arbitrary code remotely by triggering JNDI injection during a lookup process. The exploitation techniques involve leveraging specific classes and attributes within WebLogic, such as implementing the OpaqueReference interface and manipulating the java.naming.factory.object attribute during InitialContext initialization.
Oracle has released patches to address this issue as part of the official Oracle Q2 quarterly update. However, attackers could still exploit the vulnerability if the patches are not applied promptly. Organizations are strongly advised to apply the patches and follow recommended security best practices to mitigate the risk of exploitation.
A newly discovered vulnerability in Oracle WebLogic Server allows attackers to exploit a secondary JNDI injection flaw, resulting in Remote Code Execution (RCE) on the targeted system. This vulnerability, identified as CVE-2024-20931 and CVE-2024-21006, enables attackers to trigger JNDI injection during a lookup process, effectively bypassing normal restrictions and executing arbitrary code.
The vulnerability can be exploited through two main methods:
Exploitation via OpaqueReference Interface: Attackers can exploit WebLogic’s JNDI functionality by implementing the OpaqueReference interface and using the ForeignOpaqueReference class. By triggering a malicious lookup operation, attackers can inject JNDI and execute arbitrary code via the getReferent method.
Manipulation of InitialContext Initialization: By setting the java.naming.factory.object attribute to the MessageDestinationObjectFactory class during InitialContext initialization, attackers can exploit the getObjectInstance method and trigger JNDI injection during a lookup operation. This method allows attackers to execute arbitrary code on the WebLogic server.
The vulnerability is addressed in the official Oracle Q2 quarterly update, which includes patches to mitigate the risk. However, organizations must promptly apply these patches to prevent exploitation. Failure to do so may leave systems vulnerable to remote attacks.
Mitigation Steps:
Apply Patches: Oracle has released patches to address this vulnerability as part of the official Oracle Q2 quarterly update. Users are strongly advised to apply these patches immediately to mitigate the risk of exploitation.
Restrict Network Exposure: Minimize network exposure for Oracle WebLogic Server instances by ensuring they are not accessible from the internet. Use firewalls to restrict access and isolate critical systems from external networks.
Implement Secure Configuration: Configure WebLogic Server instances to follow secure best practices, including restricting access to sensitive functionality and applying the principle of least privilege.
Monitor for Suspicious Activity: Regularly monitor WebLogic Server logs and network traffic for any signs of suspicious activity. Implement intrusion detection systems and conduct regular security audits to identify and address potential vulnerabilities.
