Oracle releases emergency WebLogic Server patch to fix RCE flaw
The vulnerability could enable hackers to remotely exploit the server without any user interaction
Oracle has been forced to issue an out-of-band patch to fix a critical remote code execution (RCE) flaw affecting multiple Oracle WebLogic Server versions.
The vulnerability, tracked as CVE-2020-14750, could enable hackers to remotely exploit the server via a HTTP GET through the server's console component, without any user interaction and may be exploited over a network without the need for a username and password.
"Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle explained in an https://www.oracle.com/security-alerts/alert-cve-2020-14750.html advisory.
The advisory said that the supported Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0, and 220.127.116.11.0.
Proof-of-concept code that could exploit the bug was made public on GitHub. According to security firm Spyse, around 3,300 WebLogic servers are exposed at the moment and could be vulnerable to the flaw.
He also said that the vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. That particular flaw could enable hackers network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) also warned users about the dangers of the vulnerability and encouraged administrators to apply the patch as soon as possible.
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now