Rapid7 Vulnerability & Exploit Database

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Back to Search

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization



Oracle Weblogic, and prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability. This occurs when an attacker serializes a "ForeignOpaqueReference" class object, deserializes it on the target, and then post deserialization, calls the object's "getReferent()" method, which will make use of the "ForeignOpaqueReference" class's "remoteJNDIName" variable, which is under the attackers control, to do a remote loading of the JNDI address specified by "remoteJNDIName" via the "lookup()" function. This can in turn lead to a deserialization vulnerability whereby an attacker supplies the address of a HTTP server hosting a malicious Java class file, which will then be loaded into the Oracle Weblogic process's memory and an attempt to create a new instance of the attacker's class will be made. Attackers can utilize this to execute arbitrary Java code during the instantiation of the object, thereby getting remote code execution as the "oracle" user. This module exploits this vulnerability to trigger the JNDI connection to a LDAP server we control. The LDAP server will then respond with a remote reference response that points to a HTTP server that we control, where the malicious Java class file will be hosted. Oracle Weblogic will then make a HTTP request to retrieve the malicious Java class file, at which point our HTTP server will serve up the malicious class file and Oracle Weblogic will instantiate an instance of that class, granting us RCE as the "oracle" user. This vulnerability was exploited in the wild as noted by KEV on May 1st 2023: https://www.fortiguard.com/outbreak-alert/oracle-weblogic-server-vulnerability


  • 4ra1n
  • 14m3ta7k
  • Grant Willcox


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/iiop/cve_2023_21839_weblogic_rce
msf exploit(cve_2023_21839_weblogic_rce) > show targets
msf exploit(cve_2023_21839_weblogic_rce) > set TARGET < target-id >
msf exploit(cve_2023_21839_weblogic_rce) > show options
    ...show and set options...
msf exploit(cve_2023_21839_weblogic_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security