CVE-2024-21260: 
Oracle WebLogic Server vulnerability analysis and mitigation

A vulnerability (CVE-2024-21260) has been identified in Oracle WebLogic Server's Core component, affecting versions 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the Oracle WebLogic Server (Oracle CPU, NVD).

The vulnerability has been assigned a CVSS 3.1 Base Score of 7.5 (High) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based, requiring low attack complexity, with no privileges or user interaction needed. The vulnerability specifically affects the T3 and IIOP protocols, which are commonly enabled by default in WebLogic installations (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DOS) of Oracle WebLogic Server. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

Oracle has released patches for this vulnerability as part of its October 2024 Critical Patch Update. Organizations are strongly advised to apply these security patches without delay to affected Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 (Oracle CPU).

The vulnerability was discovered and reported by security researcher 'aftersnow' to Oracle (Oracle CPU). It is one of several high-severity vulnerabilities affecting Oracle WebLogic Server in the October 2024 CPU (Security Online).