WebLogic Server Side Request Forgery
Description
Oracle WebLogic Server versions 10.0.2 and 10.3.6 contain a Server-Side Request Forgery (SSRF) vulnerability in the publicly accessible Universal Description Discovery and Integration (UDDI) application. The SearchPublicRegistries.jsp page lacks proper input validation, allowing unauthenticated attackers to force the WebLogic server to make HTTP requests to arbitrary hosts and ports. The verbose error responses returned by the application can be analyzed to determine whether services are running on specific ports, effectively enabling port scanning and network reconnaissance through the vulnerable server.
Remediation
Take the following steps to remediate this vulnerability:
1. Apply Security Patches: Install the Oracle Critical Patch Update (CPU) from July 2014 or later, which addresses CVE-2014-4210, CVE-2014-4241, and CVE-2014-4242. Verify the patch installation by checking the Oracle patch version.
2. Restrict Access to UDDI: If the UDDI application is not required for business operations, disable it entirely. If UDDI functionality is needed, implement the following access controls in your WebLogic configuration:
- Restrict access to /uddiexplorer/* paths using IP allowlisting - Require authentication for all UDDI endpoints - Place UDDI applications behind a reverse proxy with strict filtering rules
3. Network Segmentation: Ensure WebLogic servers cannot make outbound connections to sensitive internal networks unless explicitly required. Implement egress filtering rules at the firewall level.
4. Verification: After applying patches or restrictions, test that the SearchPublicRegistries.jsp page is no longer accessible to unauthenticated users or has been removed entirely.