Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Oracle Warns of Critical WebLogic Flaw Exploited in Attacks


Oracle has released an out-of-band security alert for a critical remote code execution vulnerability affecting WebLogic Server.


Tracked as CVE-2020-14750 and featuring a CVSS score of 9.8, the security flaw is related to CVE-2020-14882, a WebLogic Server bug addressed in the October 2020 Critical Patch Update (CPU) and which was deemed to be very easy to exploit.


In fact, attacks targeting CVE-2020-14882 were observed last week, soon after a Vietnamese researcher published proof-of-concept code.


“This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. […] It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle notes in its advisory.


Impacting supported WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, the bug can be exploited by an attacker that has HTTP access to the network.


Successful exploitation of the flaw could lead to takeover of Oracle WebLogic, an advisory published by the MITRE Corporation reads.


“The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system,” Czech vulnerability intelligence company Cybersecurity Help says.


In its advisory, Oracle credited 20 researchers/organizations for reporting the vulner ..

Support the originator by clicking the read the rest link below.