CVE-2021-2142: Oracle WebLogic Server Auth Bypass Flaw

CVE-2021-2142 Overview

CVE-2021-2142 affects the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw exists in version 10.3.6.0.0 and allows an unauthenticated attacker with HTTP network access to compromise the server. Successful exploitation requires user interaction from a person other than the attacker, consistent with a cross-site scripting or request-forgery style attack against an authenticated console user.

The scope is changed, meaning a successful attack can impact resources beyond the vulnerable component. Exploitation yields unauthorized read access to a subset of data and unauthorized create, update, or delete access to additional data.

Critical Impact

An unauthenticated attacker can trick a console user into triggering a request that modifies or discloses WebLogic Server data, with impact extending beyond the WebLogic component itself.

Affected Products

• Oracle WebLogic Server 10.3.6.0.0
• Oracle Fusion Middleware deployments using the affected Console component
• Applications dependent on the impacted WebLogic instance

Discovery Timeline

• 2021-04-22 - CVE-2021-2142 published to the National Vulnerability Database
• April 2021 - Oracle releases fix in the Oracle Critical Patch Update Advisory - April 2021
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-2142

Vulnerability Analysis

The vulnerability resides in the WebLogic Server Administration Console, a web-based management interface used by administrators to configure servers, deployments, and security realms. The attack vector is network-based over HTTP, and exploitation does not require any privileges on the target system.

The requirement for user interaction combined with a changed scope indicates the flaw is triggered through an authenticated administrator's browser session. An attacker crafts a malicious link or page that, when visited by a privileged console user, causes the console to perform attacker-controlled actions on behalf of that user.

Because the WebLogic Console manages deployments, data sources, and security configurations, abuse can extend into other Fusion Middleware components served by the same server. Oracle classifies the impact as low confidentiality and low integrity, with no direct availability impact.

Root Cause

Oracle does not publish detailed root cause information for Critical Patch Update entries. The NVD assigns NVD-CWE-noinfo for this issue. The behavioral characteristics — HTTP entry point, required victim interaction, and scope change — are consistent with insufficient validation or output encoding in a console request handler, allowing an attacker to influence server-side actions through a victim's browser.

Attack Vector

The attacker hosts or distributes a crafted URL or HTML payload targeting the WebLogic Administration Console. A console user with an active authenticated session visits the attacker-controlled content. The browser issues requests against the console endpoint, executing operations under the victim's privileges. Because scope is changed, downstream products managed through WebLogic may also be affected.

No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose only, in line with the Oracle Security Alert April 2021 advisory.

Detection Methods for CVE-2021-2142

Indicators of Compromise

• Unexpected configuration changes in the WebLogic Administration Console, including new data sources, deployments, or security realm modifications
• HTTP requests to /console/ endpoints originating from external Referer headers or unusual user-agent strings
• Console actions performed outside of normal administrator working hours or from atypical source IP addresses

Detection Strategies

• Review WebLogic access logs for console requests where the Referer header points to external, non-corporate domains
• Correlate administrator authentication events with subsequent configuration-change audit entries to identify actions inconsistent with operator intent
• Inspect outbound browser traffic from administrator workstations for visits to untrusted sites immediately preceding console activity

Monitoring Recommendations

• Enable and forward WebLogic audit logs and AdminServer.log to a centralized log platform for retention and search
• Alert on changes to security realms, JDBC data sources, and deployed applications within the Administration Console
• Restrict and monitor network access to console TCP ports, treating any external access attempt as suspicious

How to Mitigate CVE-2021-2142

Immediate Actions Required

• Apply the Oracle Critical Patch Update from April 2021 to all WebLogic Server 10.3.6.0.0 instances
• Restrict access to the Administration Console to a dedicated management network or VPN
• Require administrators to use a separate browser profile or workstation for console access, isolated from general web browsing

Patch Information

Oracle addressed CVE-2021-2142 in the April 2021 Critical Patch Update. Administrators should consult the Oracle Security Alert April 2021 for the specific patch identifiers applicable to WebLogic Server 10.3.6.0.0 and apply them through Oracle Support.

Workarounds

• Block external network access to the WebLogic Administration Console using firewall rules or a reverse-proxy allowlist
• Disable the Administration Console on production servers where it is not actively required, per Oracle deployment guidance
• Enforce short console session timeouts to reduce the window during which a victim's session can be abused

# Example: restrict console access to a management subnet using iptables
iptables -A INPUT -p tcp --dport 7001 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP