Skip to main content

5. Principle of WebLogic deserialisation – choose any vulnerability and explain its trigger mechanism

CVE-2023-21931

In the WLNamingManager class of WebLogic, when the incoming object is an implementation of LinkRef, the object’s getLinkName() method is invoked, and the address returned by getLinkName() is loaded via remote JNDI through the lookup() method.

CVE-2023-21839

WebLogic’s T3/IIOP protocol allows remote binding of objects to the server. When the remote object inherits from OpaqueReference, and a lookup is performed on the remote object, the server calls the remote object’s getReferent method. The remoteJNDIName parameter is controllable, allowing an attacker to execute remote commands using the RMI/LDAP remote protocol.

CVE-2024-20931 Overview

A ForeignOpaqueReference object exists in WebLogic. Its getReferent function initiates another JNDI lookup when the remote object is queried, leading to JNDI injection.