Oracle WebLogic Remote Code Execution via T3
Description
Oracle WebLogic Server contains a critical remote code execution vulnerability (CVE-2018-3245) in its WLS Core Components. This vulnerability stems from insecure deserialization of Java objects transmitted over the T3 protocol. The issue represents an incomplete fix for a previous vulnerability (CVE-2018-2893), where the original patch did not fully address the underlying deserialization weakness. Attackers can exploit this flaw by sending specially crafted serialized Java objects to the WebLogic server, which are then deserialized and executed without proper validation.
Remediation
Take the following steps to remediate this vulnerability:
1. Apply Security Patches (Primary Solution):
Install the Oracle Critical Patch Update from October 2018 or later. Download the appropriate patch for your WebLogic Server version from Oracle's support portal and follow the installation instructions provided in the patch documentation.
2. Disable or Restrict T3 Protocol Access (Immediate Mitigation):
If immediate patching is not possible, restrict T3 protocol access using one of these methods:
- Configure firewall rules to block external access to T3 ports (typically 7001, 7002)
- Use WebLogic connection filters to restrict T3 access to trusted IP addresses only
- Disable T3 protocol entirely if not required for your deployment
Add a connection filter in your WebLogic configuration:
<connection-filter>
<filter-expression>
weblogic.security.net.ConnectionFilterImpl
</filter-expression>
<filter-parameters>
* * deny t3 t3s
192.168.1.0/24 * allow t3 t3s
</filter-parameters>
</connection-filter>
3. Verify Remediation:
After applying patches or mitigations, verify that the vulnerability has been resolved through security scanning or penetration testing.
4. Monitor for Exploitation Attempts:
Review server logs for suspicious T3 connection attempts or deserialization errors that may indicate exploitation attempts.