Preface: When Oracle releases a security advisory. These vulnerabilities may have occurred months ago, or may be further back. But the technical details published in the CVE are only limited. So, that’s one of the reasons I’m interested in digging into the details.
In the spirit of science, everyone dares to assume but careful to verify.
Background: A WebLogic Server 10.3.6, 12.1.3, and 12.2.1.x client can invoke RMI-based applications hosted on a WebLogic Server 14c (14.1.1.0.0) server using IIOP, T3, T3S, HTTP, and HTTPS. JMS applications can be invoked using T3, T3S, HTTP, and HTTPS.
A WebLogic Server 14c (14.1.1.0.0) client can invoke RMI-based applications hosted on
A WebLogic Server 10.3.6, 12.1.3, and 12.2.1.x server using IIOP, T3, T3S, HTTP, and HTTPS. JMS applications can be invoked using T3, T3S, HTTP, and HTTPS.
For WebLogic Server 14c (14.1.1.0.0) instances running on JDK11, IIOP interoperability with Java clients is only available with a WebLogic Server 14c (14.1.1.0.0) install client running on JDK 11.
Vulnerability details: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
Remark: The vendor did not disclose details. Could this vulnerability occur under this circumstances? Please refer to attached diagram.
Official announcement: Please refer to the link for details –