Oracle releases emergency WebLogic Server patch to fix RCE flaw
The vulnerability could enable hackers to remotely exploit the server without any user interaction
Oracle has been forced to issue an out-of-band patch to fix a critical remote code execution (RCE) flaw affecting multiple Oracle WebLogic Server versions.
The vulnerability, tracked as CVE-2020-14750, could enable hackers to remotely exploit the server via a HTTP GET through the server's console component, without any user interaction and may be exploited over a network without the need for a username and password.
"Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle explained in an https://www.oracle.com/security-alerts/alert-cve-2020-14750.html advisory.
The advisory said that the supported Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0.
Proof-of-concept code that could exploit the bug was made public on GitHub. According to security firm Spyse, around 3,300 WebLogic servers are exposed at the moment and could be vulnerable to the flaw.
He also said that the vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. That particular flaw could enable hackers network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) also warned users about the dangers of the vulnerability and encouraged administrators to apply the patch as soon as possible.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now