The remote code-execution flaw (CVE-2020-14750) is very low-complexity and calls for no consumer conversation to exploit.
Oracle has introduced a unusual out-of-band patch for a distant code-execution flaw in many versions of its WebLogic server.
The vulnerability (CVE-2020-14750) has a CVSS base rating of 9.8 out of 10, and is remotely exploitable without the need of authentication (meaning it may well be exploited more than a network without having the will need for a username and password).
“Due to the severity of this vulnerability, Oracle strongly endorses that prospects apply the updates offered by this Security Warn as shortly as doable following they have used the October 2020 Critical Patch Update,” according to Eric Maurice, director of security assurance at Oracle, in a Sunday advisory.
While specific information of the flaw have been not disclosed, Oracle’s notify stated it exists in the Console of the Oracle WebLogic Server and can be exploited by way of the HTTP network protocol. A opportunity attack has “low” complexity and no person conversation is demanded, stated Oracle.
Oracle WebLogic Server is a common software server made use of in developing and deploying business Java EE applications. Influenced variations of WebLogic Server incorporate 10.3.6.., 12.1.3.., 126.96.36.199., 188.8.131.52. and 14.1.1…
Oracle introduced an out-of-band security warn to deal with a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) November 2, 2020
Oracle reported that the vulnerability “is similar to” CVE-2020-14882, which is also a distant code-execution flaw in WebLogic Servers. CVE-2020-14882 was set by Oracle in the large October release of its quarterly Critical Patch Update (CPU), which set 402 vulnerabilities throughout different product households. Supported versions that are afflicted are 10.3.6.., 12.1.3.., 184.108.40.206., 220.127.116.11. and 14.1.1…
Threatpost has attained out to Oracle for far more information and facts on how the two are connected. Nonetheless, security professionals on Twitter have pointed to the fact that the deal with for CVE-2020-14882 could be bypassed by just modifying the scenario of a character in their ask for. This would therefore sidestep the route-traversal blacklist that was executed to block the flaw, bypassing the patch.
In Oracle’s rush to fix it, they manufactured a very simple mistake: attackers could avoid the new route traversal blacklist (and thus bypass the patch) by … wait for it… switching the circumstance of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020
Although the patch for CVE-2020-14882 was released in the course of an Oct. 21 update, Johannes B. Ullrich, dean of investigate at the SANS Technology Institute, explained past 7 days that based mostly on honeypot observations, cybercriminals are now actively targeting the flaw.
Oracle WebLogic servers continue to be tricky-hit with exploits. In May possibly, Oracle urged buyers to rapid-monitor a patch for a critical flaw in its WebLogic Server below lively attack. The company reported it has been given many reports that attackers had been targeting the vulnerability patched final month. In May well 2019, scientists warned that malicious activity exploiting a just lately disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle mentioned that a critical remote code-execution flaw in its WebLogic Server (CVE-2019-2729) was staying actively exploited in the wild.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are finding hammered by ransomware attacks in 2020. Save your place for this Free webinar on healthcare cybersecurity priorities and listen to from top security voices on how information security, ransomware and patching want to be a precedence for each sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, confined-engagement webinar.
Some parts of this posting are sourced from: