# CVE-2024-20931 – Oracle WebLogic Server Deserialization Remote Code Execution (RCE) **Disclosed:** January 2024 **CVSS v3 Score:** 7.5 (High) **Vulnerability Type:** Remote Code Execution **Affected Software:** Oracle WebLogic Server **Exploit Author:** [dinosn](https://github.com/dinosn/CVE-2024-20931) **Reference:** [GitHub Repository](https://github.com/dinosn/CVE-2024-20931) --- ## Overview CVE-2024-20931 is a deserialization vulnerability in Oracle WebLogic Server that allows an unauthenticated remote attacker to execute arbitrary code by sending a crafted request to the vulnerable server. This vulnerability exists due to unsafe deserialization of Java objects in a specific T3 protocol endpoint exposed by WebLogic. The issue affects the **Oracle WebLogic Server component in the Oracle Fusion Middleware**, and is one of several T3-based deserialization bugs Oracle has patched in recent years. --- ## Technical Details The exploit leverages an unsafe `readObject()` invocation in the internal components that deserialize attacker-controlled data sent via the **T3 protocol**, a proprietary Oracle protocol used by WebLogic for internal communication. ### Key Points: - The vulnerability exists in the T3 object deserialization logic. - Attacker can exploit it remotely without authentication. - The payload uses a gadget chain generated by **ysoserial** (specifically `CommonsCollections1` by default). - Arbitrary code execution can be achieved via a command injection within the deserialized object chain. ### Exploit Flow: 1. Attacker crafts a malicious serialized object using ysoserial. 2. Sends the payload to the vulnerable WebLogic server over the T3 service port (default: 7001). 3. The server deserializes the object without validation. 4. The gadget chain triggers command execution on the server. --- ## Proof of Concept (PoC) The GitHub repository provides a fully working PoC that includes: - Payload generation using ysoserial. - A custom client that sends the payload using the T3 protocol to a target WebLogic server. - Usage example: ```bash python3 CVE-2024-20931.py -t -p 7001 -c "whoami" ``` ### Requirements: - Python 3 - `ysoserial.jar` in the working directory - Target must be running vulnerable version of Oracle WebLogic Server with T3 exposed --- ## Affected Versions Oracle has not published detailed version-specific information in the public domain, but this vulnerability affects versions prior to the January 2024 Critical Patch Update (CPU). It is highly recommended to upgrade to the latest version of Oracle WebLogic Server as per Oracle's advisory. --- ## Mitigation - **Upgrade WebLogic:** Apply the January 2024 CPU patch provided by Oracle. - **Restrict T3 access:** Use a firewall to limit access to the T3 port (default 7001). - **Disable T3 protocol:** If not in use, disable T3 as per Oracle security guidelines. - **Deserialization Hardening:** Review and avoid use of Java serialization when possible. --- ## Detection - Monitor for unusual or unauthorized T3 traffic. - Look for outbound connections or processes initiated by the WebLogic server that match known attack behavior. - Use endpoint security tools to detect ysoserial-based gadget chains. --- ## References - GitHub PoC Repository: [https://github.com/dinosn/CVE-2024-20931](https://github.com/dinosn/CVE-2024-20931) - Oracle Security Advisory: [Oracle CPU Jan 2024](https://www.oracle.com/security-alerts/) - ysoserial Project: [https://github.com/frohoff/ysoserial](https://github.com/frohoff/ysoserial) --- ## Conclusion CVE-2024-20931 exemplifies the ongoing threat posed by insecure deserialization in enterprise Java applications. Given the widespread use of Oracle WebLogic Server in critical infrastructure, the risk associated with this vulnerability is significant. Organizations using WebLogic should immediately patch, audit their deserialization usage, and restrict external access to internal communication protocols like T3. ```

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE-2024-20931 – Oracle WebLogic RCE

NikolasHume

CVE-2024-20931 – Oracle WebLogic Server Deserialization Remote Code Execution (RCE)

Disclosed: January 2024
CVSS v3 Score: 7.5 (High)
Vulnerability Type: Remote Code Execution
Affected Software: Oracle WebLogic Server
Exploit Author: dinosn
Reference: GitHub Repository

Overview

CVE-2024-20931 is a deserialization vulnerability in Oracle WebLogic Server that allows an unauthenticated remote attacker to execute arbitrary code by sending a crafted request to the vulnerable server. This vulnerability exists due to unsafe deserialization of Java objects in a specific T3 protocol endpoint exposed by WebLogic.

The issue affects the Oracle WebLogic Server component in the Oracle Fusion Middleware, and is one of several T3-based deserialization bugs Oracle has patched in recent years.

Technical Details

The exploit leverages an unsafe readObject() invocation in the internal components that deserialize attacker-controlled data sent via the T3 protocol, a proprietary Oracle protocol used by WebLogic for internal communication.

Key Points:

The vulnerability exists in the T3 object deserialization logic.
Attacker can exploit it remotely without authentication.
The payload uses a gadget chain generated by ysoserial (specifically CommonsCollections1 by default).
Arbitrary code execution can be achieved via a command injection within the deserialized object chain.

Exploit Flow:

Attacker crafts a malicious serialized object using ysoserial.
Sends the payload to the vulnerable WebLogic server over the T3 service port (default: 7001).
The server deserializes the object without validation.
The gadget chain triggers command execution on the server.

Proof of Concept (PoC)

The GitHub repository provides a fully working PoC that includes:

Payload generation using ysoserial.
A custom client that sends the payload using the T3 protocol to a target WebLogic server.
Usage example:

python3 CVE-2024-20931.py -t <target_ip> -p 7001 -c "whoami"

Requirements:

Python 3
ysoserial.jar in the working directory
Target must be running vulnerable version of Oracle WebLogic Server with T3 exposed

Affected Versions

Oracle has not published detailed version-specific information in the public domain, but this vulnerability affects versions prior to the January 2024 Critical Patch Update (CPU). It is highly recommended to upgrade to the latest version of Oracle WebLogic Server as per Oracle's advisory.

Mitigation

Upgrade WebLogic: Apply the January 2024 CPU patch provided by Oracle.
Restrict T3 access: Use a firewall to limit access to the T3 port (default 7001).
Disable T3 protocol: If not in use, disable T3 as per Oracle security guidelines.
Deserialization Hardening: Review and avoid use of Java serialization when possible.

Detection

Monitor for unusual or unauthorized T3 traffic.
Look for outbound connections or processes initiated by the WebLogic server that match known attack behavior.
Use endpoint security tools to detect ysoserial-based gadget chains.

References

GitHub PoC Repository: https://github.com/dinosn/CVE-2024-20931
Oracle Security Advisory: Oracle CPU Jan 2024
ysoserial Project: https://github.com/frohoff/ysoserial

Conclusion

CVE-2024-20931 exemplifies the ongoing threat posed by insecure deserialization in enterprise Java applications. Given the widespread use of Oracle WebLogic Server in critical infrastructure, the risk associated with this vulnerability is significant. Organizations using WebLogic should immediately patch, audit their deserialization usage, and restrict external access to internal communication protocols like T3.

📱

Download Now—Top Software, No Cost!