CVE-2022-21306 Overview
CVE-2022-21306 is a critical insecure deserialization vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware affecting the Core component. This vulnerability allows an unauthenticated attacker with network access via the T3 protocol to completely compromise Oracle WebLogic Server instances. The attack requires no user interaction and can be executed remotely, making it particularly dangerous for internet-facing WebLogic deployments.
Critical Impact
Successful exploitation results in complete takeover of Oracle WebLogic Server with full impact to confidentiality, integrity, and availability. Attackers can execute arbitrary code, access sensitive data, and disrupt business operations.
Affected Products
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 12.2.1.3.0
- Oracle WebLogic Server 12.2.1.4.0
- Oracle WebLogic Server 14.1.1.0.0
Discovery Timeline
- 2022-01-19 - CVE-2022-21306 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21306
Vulnerability Analysis
This vulnerability exists in the Core component of Oracle WebLogic Server and is exploitable through the T3 protocol, which is Oracle's proprietary Java EE implementation used for remote method invocation (RMI) and JNDI lookups. The T3 protocol, listening on the same port as HTTP (typically 7001), accepts serialized Java objects from remote clients without adequate validation.
The vulnerability allows unauthenticated attackers to send specially crafted serialized objects to the WebLogic T3 listener. When these malicious objects are deserialized by the server, arbitrary code execution occurs in the context of the WebLogic Server process, typically running with elevated privileges.
WebLogic Server has historically been a target for deserialization attacks due to its extensive use of Java serialization for inter-process communication. This vulnerability follows a pattern of similar issues that have affected WebLogic's T3 protocol implementation over the years.
Root Cause
The root cause stems from insecure deserialization practices in the WebLogic Core component. The T3 protocol handler accepts and deserializes Java objects from unauthenticated network sources without sufficient validation of the object types being deserialized. This allows attackers to leverage gadget chains present in the server's classpath to achieve remote code execution.
Attack Vector
The attack is conducted over the network via the T3 protocol, typically accessible on port 7001. An attacker establishes a T3 connection to the vulnerable WebLogic Server and transmits a maliciously crafted serialized Java object. The server's deserialization process then instantiates the malicious object, triggering the execution of arbitrary code embedded within the serialized payload.
The attack sequence typically involves:
- Identifying an exposed WebLogic T3 listener
- Crafting a serialized Java object containing a malicious gadget chain
- Sending the payload via T3 protocol
- Achieving code execution when the server deserializes the object
Detection Methods for CVE-2022-21306
Indicators of Compromise
- Unexpected outbound network connections from WebLogic Server processes
- Unusual process spawning from java.exe or java processes associated with WebLogic
- Anomalous T3 protocol traffic containing serialized Java objects with known gadget class signatures
- Unexplained modifications to WebLogic configuration files or deployed applications
Detection Strategies
- Monitor T3 protocol traffic on port 7001 for serialized object payloads containing known malicious class names
- Implement network intrusion detection rules to identify T3 protocol handshakes followed by suspicious serialized data patterns
- Deploy endpoint detection to monitor WebLogic processes for unexpected child process creation or file system modifications
- Review WebLogic server logs for deserialization errors or exceptions indicating exploitation attempts
Monitoring Recommendations
- Enable detailed logging for T3 protocol connections in WebLogic Server
- Configure SIEM rules to alert on suspicious T3 traffic patterns originating from untrusted networks
- Monitor for known serialization gadget classes in network traffic using deep packet inspection
- Establish baseline behavior for WebLogic processes and alert on deviations
How to Mitigate CVE-2022-21306
Immediate Actions Required
- Apply the Oracle Critical Patch Update from January 2022 immediately
- Restrict network access to T3 protocol listeners using firewall rules to allow only trusted sources
- Consider disabling T3 protocol if not required for business operations
- Implement network segmentation to isolate WebLogic servers from untrusted networks
Patch Information
Oracle has released patches for this vulnerability as part of the January 2022 Critical Patch Update. Organizations should apply the appropriate patch for their WebLogic Server version. The patch addresses the insecure deserialization issue in the Core component.
Affected versions requiring patching:
- 12.1.3.0.0 - Apply January 2022 CPU
- 12.2.1.3.0 - Apply January 2022 CPU
- 12.2.1.4.0 - Apply January 2022 CPU
- 14.1.1.0.0 - Apply January 2022 CPU
Workarounds
- Implement connection filters to restrict T3 protocol access to authorized IP addresses only
- Deploy a web application firewall (WAF) to inspect and block malicious serialized payloads
- Use network ACLs to block T3 protocol access from untrusted networks while allowing HTTP/HTTPS
- Enable WebLogic's built-in serialization filtering mechanisms to block known dangerous classes
# WebLogic connection filter configuration example
# Add to config.xml to restrict T3 access to trusted networks only
# Navigate to: Domain > Security > Filter
# Configure connection filter with rules:
# Allow T3 from trusted management network: 10.0.0.0/8 * * allow t3 t3s
# Deny T3 from all other sources: * * * deny t3 t3s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
