Oracle Puts Out Emergency Fix for Critical WebLogic Server Flaw!

Oracle Puts Out Emergency Fix for Critical WebLogic Server Flaw!

Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.

The remote code-execution flaw (CVE-2020-14750) is low-complexity & requires no user interaction to exploit.

The vulnerability (CVE-2020-14750) has a CVSS base score of 9.8 out of 10, & is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username  & password).

Vulnerability

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the Oct. 2020 Critical Patch Update,” says Eric Maurice, Director of Security Assurance at Oracle, in a Sunday advisory.

While specific details of the flaw were not disclosed, Oracle’s alert said it exists in the Console of the Oracle WebLogic Server & can be exploited via the HTTP network protocol. A potential attack has “low” complexity & no user interaction is required, commented Oracle.

Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

CVE-2020-14750

Oracle released an out-of-band security alert to address a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) November 2, 2020

Oracle explained that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by Oracle in the massive October release of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

Bypassed

Security experts on Twitter have pointed to the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.

#CVE-2020–14882 Weblogic Unauthorized bypass RCE
http://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portal

POST:

_nfpb=true&_pageLabel=&handle=https://t.co/jBUfUasQC1.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)https://t.co/nU8xkK30DU pic.twitter.com/uLiggjHnQG

— Jas502n (@jas502n) October 28, 2020

Upon further analysis of the bypass, “The web application is making an authorisation decision based on the requested path but it is doing so without first fully decoding & canonicalizing the path,” outlined Craig Young, Security Researcher with Tripwire, in an analysis. “The result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.”

Targeting

While the patch for CVE-2020-14882 was released during an Oct. 21 update, Johannes B. Ullrich, Dean of Research at the SANS Technology Institute, observed last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.

Oracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack.

Reports

The company commented it has received numerous reports that attackers were targeting the vulnerability patched last month.

In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.

https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/

 

SHARE ARTICLE