A critical and easily exploitable remote code execution vulnerability (CVE-2020-14882) in Oracle WebLogic Server is being targeted by attackers. The issue has a CVSS base score of 9.8 out of 10 and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,” according to Eric Maurice, director of security assurance at Oracle.
The remote code-execution flaw is low-complexity and requires no user interaction to exploit.
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. The vulnerability—CVE-2020-14882—may allow attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.
The vulnerability affects the console component of Oracle WebLogic Server versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0, and has been patched by Oracle.
Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, said that SANS ISC’s honeypots are getting hit by exploit attempts originating from four IP addresses. For now, the attackers are only probing to see whether the target systems are vulnerable, but that’s likely because the honeypots did not return the “correct” response.
The PoC exploit was published on October 28th, and it didn’t take long for attackers to take advantage. Admins are advised to patch vulnerable systems as soon as possible.
Rapid7 Labs has also seen evidence of attackers looking for vulnerable WebLogic instances. According to Bob Rudis, Chief Security Data Scientist, “Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds.”
The recommendation is to patch as quickly as possible. If not, mitigations are the priority.
Oracle said that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. This issue was fixed by Oracle in the October release of its quarterly Critical Patch Update (CPU). Supported versions that are affected are 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168
Security experts say that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.