Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.
The vulnerability (CVE-2020-14750) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,” according to Eric Maurice, director of security assurance at Oracle, in a Sunday advisory.
While specific details of the flaw were not disclosed, Oracle’s alert said it exists in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. A potential attack has “low” complexity and no user interaction is required, said Oracle.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Oracle released an out-of-band security alert to address a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) November 2, 2020
Oracle said that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by Oracle in the massive October release of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Threatpost has reached out to Oracle for more information on how the two are related. However, security experts on Twitter have pointed to the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.
In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020
While the patch for CVE-2020-14882 was released during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.
Oracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.