Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.
The remote code-execution flaw (CVE-2020-14750) is low-complexity & requires no user interaction to exploit.
The vulnerability (CVE-2020-14750) has a CVSS base score of 9.8 out of 10, & is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username & password).
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the Oct. 2020 Critical Patch Update,” says Eric Maurice, Director of Security Assurance at Oracle, in a Sunday advisory.
While specific details of the flaw were not disclosed, Oracle’s alert said it exists in the Console of the Oracle WebLogic Server & can be exploited via the HTTP network protocol. A potential attack has “low” complexity & no user interaction is required, commented Oracle.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 22.214.171.124.0, 126.96.36.199.0, 188.8.131.52.0 and 184.108.40.206.0.
— US-CERT (@USCERT_gov) November 2, 2020
Oracle explained that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by Oracle in the massive October release of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0.
Security experts on Twitter have pointed to the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.
#CVE-2020–14882 Weblogic Unauthorized bypass RCE
— Jas502n (@jas502n) October 28, 2020
Upon further analysis of the bypass, “The web application is making an authorisation decision based on the requested path but it is doing so without first fully decoding & canonicalizing the path,” outlined Craig Young, Security Researcher with Tripwire, in an analysis. “The result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.”
While the patch for CVE-2020-14882 was released during an Oct. 21 update, Johannes B. Ullrich, Dean of Research at the SANS Technology Institute, observed last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.
Oracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack.
The company commented it has received numerous reports that attackers were targeting the vulnerability patched last month.
In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.