Skip to the content.

DIVD-2022-00038 - Vulnerable Oracle WebLogic Server

Our reference DIVD-2022-00038
Case lead Victor Pasman
Author Tom Wolters
Researcher(s)
CVE(s)
Product Oracle WebLogic Server
Versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Closed
Last modified 08 Mar 2023 20:26 CET

Summary

In January 2022 Oracle announced a critical patch update to mitigate multiple security vulnerabilities for their WebLogic Servers. DIVD started notifying owners of IP addresses where instances vulnerable to CVE-2022-21371 were found. A patch is available to mitigate this issue. Recipients of this email are advised to immediately update their Oracle WebLogic instance.

Impact

By leveraging the vulnerability, an unauthenticated attacker with network access to the Oracle WebLogic Server can see and download files readable for the WebLogic user. This means that files such as the sourcecode or possibly secrets stored on the server are readable by an malicious attacker.

What you can do

What we are doing

Timeline

Date Description
03 Jul 2022 DIVD starts investigating the scope and impact of the vulnerability.
03 Jul 2022 First version of this case file.
03 Jul 2022 First round of notifications sent to about 300 hosts
31 Aug 2022 Second round of notifications sent to about 165 hosts
05 Oct 2022 Third round of notifications sent to about 230 hosts
gantt title DIVD-2022-00038 - Vulnerable Oracle WebLogic Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00038 - Vulnerable Oracle WebLogic Server (247 days) :2022-07-03, 2023-03-07 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-07-03, 0d First version of this case file. : milestone, 2022-07-03, 0d First round of notifications sent to about 300 hosts : milestone, 2022-07-03, 0d Second round of notifications sent to about 165 hosts : milestone, 2022-08-31, 0d Third round of notifications sent to about 230 hosts : milestone, 2022-10-05, 0d

More information