Background
Oracle has issued an out-of-band update for WebLogic Server CVE-2020-14750 only days after the SANS Institute posted an alert regarding a different WebLogic Server flaw, CVE-2020-14882, being under active attack. Both CVEs carry a CVSS score of 9.8 and are remotely exploitable without authentication.
Discussion – CVE-2020-14750
According to Oracle’s out-of-band update issued on November 2, 2020, CVE-2020-14750 is related to CVE-2020-14882 which was patched in the October 2020 Oracle Critical Patch Update. CVE-2020-14750 exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Vulnerable WebLogic Versions include:
10.3.6.0.0 | 12.1.2.0 |
12.1.3.0.0 | 12.2.1.0 |
12.2.1.1 | 12.2.1.2 |
12.2.1.2.0 | 12.2.1.3.0 |
12.2.1.4.0 | 14.1.1.0.0 |
Discussion – CVE-2020-14882
A patch for CVE-2020-14882 was included in Oracle’s Q4 2020 Critical Patch Update released on October 21, 2020. Oracle describes the attack as “low” in complexity, requires no privileges, and no user interaction. It can be exploited by attackers with network access via HTTP.
In a bulletin from Johannes B. Ullrich, Ph.D., Dean of Research at the SANS Technology Institute, he noted that “if you find a vulnerable server in your network: Assume it has been compromised.”
Vulnerable WebLogic Versions include:
10.3.6.0.0 | 12.1.3.0.0 |
12.2.1.3.0 | 12.2.1.4.0 |
14.1.1.0.0 |
Action Steps
Waratek Patch customers can immediately access ARMR virtual patches that remediate CVE-2020-14750, CVE-2020-14882, and CVE-2020-14883 (a lower risk, but remote executable Fusion Middleware flaw). Contact your Waratek representative for details. Waratek ARMR Virtual Patches fix code flaws in minutes without source code changes, application downtime, or risk of breaking an app’s functionality.
Non-Waratek customers should request a trial license or a live demonstration of Waratek protective agents.
About Waratek
Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.
Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions.