Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw

  • The distant code-execution flaw (CVE-2020-14750) is low-complexity and demands no consumer conversation to exploit.

    Oracle has produced a unusual out-of-band patch for a remote code-execution flaw in a number of versions of its WebLogic server.

    The vulnerability (CVE-2020-14750) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without having authentication (indicating it could be exploited more than a network without having the need for a username and password).

    “Due to the severity of this vulnerability, Oracle strongly suggests that prospects apply the updates provided by this Security Inform as shortly as attainable right after they have applied the Oct 2020 Critical Patch Update,” according to Eric Maurice, director of security assurance at Oracle, in a Sunday advisory.

    Although distinct aspects of the flaw have been not disclosed, Oracle’s notify mentioned it exists in the Console of the Oracle WebLogic Server and can be exploited through the HTTP network protocol. A likely attack has “low” complexity and no consumer conversation is required, claimed Oracle.

    Oracle WebLogic Server is a common application server utilised in making and deploying organization Java EE purposes. Afflicted versions of WebLogic Server involve 10.3.6.., 12.1.3.., 12.2.1.3., 12.2.1.4. and 14.1.1…

    Oracle launched an out-of-band security inform to deal with a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec

    — US-CERT (@USCERT_gov) November 2, 2020

    Oracle said that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fastened by Oracle in the huge October launch of its quarterly Critical Patch Update (CPU), which set 402 vulnerabilities across numerous merchandise family members. Supported variations that are affected are 10.3.6.., 12.1.3.., 12.2.1.3., 12.2.1.4. and 14.1.1…

    Security authorities on Twitter have pointed to the point that the fix for CVE-2020-14882 could be bypassed by simply altering the case of a character in their ask for. This would so sidestep the path-traversal blacklist that was applied to block the flaw, bypassing the patch.

    #CVE-2020–14882 Weblogic Unauthorized bypass RCEhttp://x.x.x.x:7001/console/visuals/%252E%252E%252Fconsole.portal

    Put up:

    _nfpb=true&_pageLabel=&manage=https://t.co/jBUfUasQC1.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27)%22)https://t.co/nU8xkK30DU pic.twitter.com/uLiggjHnQG

    — Jas502n (@jas502n) October 28, 2020

    Upon additional investigation of the bypass, “The web application is making an authorization conclusion based on the requested path but it is performing so devoid of initial totally decoding and canonicalizing the route,” said Craig Younger, security researcher with Tripwire, in an evaluation. “The final result is that a URL can be built to match the sample for a permitted useful resource but in the end entry a fully diverse resource.”

    When the patch for CVE-2020-14882 was introduced during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, reported past 7 days that based on honeypot observations, cybercriminals are now actively focusing on the flaw.

    Oracle WebLogic servers keep on to be tough-strike with exploits. In May, Oracle urged prospects to speedy-keep track of a patch for a critical flaw in its WebLogic Server below lively attack. The enterprise stated it has gained several reviews that attackers ended up concentrating on the vulnerability patched very last month. In May perhaps 2019, scientists warned that malicious activity exploiting a not long ago disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – which include to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle mentioned that a critical distant code-execution flaw in its WebLogic Server (CVE-2019-2729) was staying actively exploited in the wild.

    Hackers Set Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware assaults in 2020. Save your place for this No cost webinar on healthcare cybersecurity priorities and hear from major security voices on how knowledge security, ransomware and patching need to be a precedence for each and every sector, and why. Sign up for us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, constrained-engagement webinar.