An out-of-band security warning for a crucial remote code execution vulnerability impacting WebLogic Server was issued by Oracle.
Tracked as CVE-2020-14750 and with a CVSS score of 9.8, the security vulnerability is linked to CVE-2020-14882, a Crucial Patch Upgrade (CPU) WebLogic Server bug addressed in October 2020 and which was perceived to be very easy to exploit.
In reality, attacks targeting CVE-2020-14882 were noted last week, shortly after the proof-of – concept code was released by a Vietnamese researcher.
CVE-2020-14750, a remote code execution flaw in Oracle WebLogic Server, answers this Security Warning. […] Without authentication, it is remotely exploitable, i.e. it can be abused over a network without the need for a username and password, states Oracle in its advisory.
Impacting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 of the supported WebLogic Server, the error can be abused by an intruder who has HTTP network access.
Effective exploitation of the vulnerability could lead to the acquisition of Oracle WebLogic, according to an advisory published by MITRE Corporation.
“Due to insufficient input validation, the vulnerability persists. A remote attacker can send a specially designed request to the target machine and execute an arbitrary code. Effective exploitation of this weakness will lead to full compromise of the vulnerable device, says the Czech Cybersecurity Aid vulnerability intelligence business.
Oracle thanked 20 researchers / organisations for disclosing the flaw in its advisory. After downloading the October 2020 CPU, the organisation advises that clients submit the available patches as easily as possible.
The organisation has declined to provide any information about the flaw, but warns that it is already available online to exploit code targeting it.
“Oracle highly advises that consumers instal the updates issued by this Protection Warning as soon as possible because of the seriousness of this vulnerability and the release of exploit code on multiple pages,” Oracle states.
An warning has already been released by the U.S. Cybersecurity and Information Protection Service (CISA) advising administrators to introduce the necessary upgrades.
