Oracle has released an out of band patch for vulnerability CVE-2020-14750. It has been given a 9.8 out of 10 base score on CVSS 3.1. The high CVSS score is due to the vulnerability being able to be remotely exploited without credentials.
Details of the flaw were not disclosed. The vulnerability appears to be in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. Attacks are similar to CVE-2020-14882, for which Oracle released a patch in October of 2020, that does not require user interaction and can be exploited remotely through networks without the need for a username or password.
Oracle has stated that the vulnerability “is related to” CVE-2020-14882, which is another remote code-execution flaw in WebLogic Servers that Oracle patched in the October 2020 release. However, security professionals have pointed out that a patched CVE-2020-14882 could be bypassed by merely changing the case of a character in the request by sidestepping the path-traversal blacklist that was implemented to block the flaw
What is the Potential Impact?
An unspecified vulnerability exists in the Core component of WebLogic Servers. Unauthenticated attackers that have network access via HTTP can exploit the server and take over the Oracle WebLogic Server.
The following versions of Oracle WebLogic are vulnerable:
Oracle believes that older versions are also vulnerable and recommends customers to update to a support version of Oracle WebLogic.
Oracle WebLogic Vulnerability Mitigation
We strongly suggest that organizations download and apply Oracle’s latest patch for their Fusion Middleware software.
Detecting CVE-2020-16898 and CVE-2020-16899
- Qualys has released QID 87433 for detection of the vulnerability, but QID 90235 can be used to assist in identifying if WebLogic is installed on systems.
- Tenable has released the following plugin 141807 to detect this vulnerability.