The discovery that many organisations could not quickly answer โhow many WebLogic instances do we run and what version?โ when CVE-2024-21182 hit the KEV this week is a predictable consequence of how enterprise Java middleware has historically been managed: deployed by application teams, maintained by operational teams, and rarely included in the security teamโs vulnerability management scope.
A proactive WebLogic security assessment programme addresses this before the next critical CVE.
Phase 1: Discovery โ Finding All WebLogic Instances
WebLogic listen port TCP 7001 (and 7002 for TLS) is the primary discovery target.
Network scan for WebLogic:
# Identify WebLogic-like responses on standard ports (adapt IP ranges)
nmap -p 7001,7002 --open -sV 10.0.0.0/8 -oA weblogic_discovery
# Identify WebLogic on alternate ports (some deployments use 8001, 9001, etc.)
nmap -p 8001,9001,4848 --open -sV 10.0.0.0/8WebLogic responds to HTTP requests on the listen port โ look for HTTP responses containing BEA WebLogic, Oracle WebLogic, or X-Powered-By: Servlet headers with WebLogic-specific values.
CMDB query: Query your CMDB/asset management system for:
- Systems with
weblogic.jarorwl_homein installed applications - Systems running the
weblogic.ServerJava process - Services or applications described as โOracle Fusion Middlewareโ, โOracle SOA Suiteโ, โOracle E-Business Suiteโ (these use WebLogic as the application server)
Cloud inventory: For cloud environments (AWS, Azure, GCP), search for EC2/VM instances with tags indicating Oracle middleware, or RDS/database instances with Oracle Fusion dependencies that imply a co-located WebLogic application tier.
Phase 2: Version Identification
Once discovered, determine the WebLogic version for each instance:
WebLogic Administration Console: Navigate to http://<host>:7001/console and log in. The version is displayed on the dashboard.
Command line (if shell access available):
# Check WebLogic version from the installation directory
cat $WL_HOME/server/lib/weblogic.jar | jar -tf - | grep -i manifest
# Or check the registry.xml file
cat $MW_HOME/inventory/registry.xml | grep "oracle.wls"HTTP headers: Some WebLogic installations reveal version information in HTTP response headers or error pages โ check Server: header and examine default error pages at /wls-wsat/ or /webservices/.
Phase 3: Exposure Assessment
For each WebLogic instance, assess its exposure:
T3/IIOP reachability test:
# Test if T3 port is reachable from an external perspective
nc -zv <weblogic_host> 7001
# If this succeeds from an untrusted network, T3 is externally accessibleAdministration Console exposure:
# Test if WebLogic Admin Console is internet-accessible
curl -I http://<host>:7001/console/
# 200 or 302 response from an untrusted network indicates exposed admin consoleTLS configuration:
# Check WebLogic TLS configuration on port 7002
openssl s_client -connect <host>:7002
# Verify TLS version and cipher suitePhase 4: Continuous Monitoring
One-time assessment is insufficient for middleware that rarely changes but accumulates critical CVEs between CPU cycles.
Patch level monitoring: Track WebLogic version and installed CPU patches in your CMDB. Set an alert for any WebLogic instance whose installed CPU is more than one quarter behind the current published CPU (indicating likely missed critical patches).
T3/IIOP port monitoring: Configure continuous monitoring (via network scanner or cloud security posture management) for TCP 7001/7002 reachability from untrusted networks. Any newly reachable WebLogic T3 port should generate an immediate alert.
Admin Console exposure monitoring:
Monitor /console/ endpoint reachability from external IPs continuously. WebLogic Admin Console should never be internet-accessible.
Anomalous WebLogic process activity:
EDR monitoring for child processes spawned from the WebLogic JVM (java) process is a high-fidelity exploitation indicator โ legitimate WebLogic processes do not spawn shell processes (/bin/sh, cmd.exe, powershell.exe).
Share this article