Application Security , Breach Notification , Incident & Breach Response
CISA and Oracle Warn Over WebLogic Server Vulnerability
Software Giant Issues Rare Out-of-Band Fix For 'Severe' BugThe U.S. Cybersecurity and Infrastructure Security Agency and Oracle are urging users to apply an emergency patch for a vulnerability in the software giant's WebLogic Server product that attackers are already exploiting, according to security researchers.
See Also: ESG Research Report: Securing the API Attack Surface
On Sunday, Oracle issued a rare out-of-band patch for the vulnerability, which is tracked as CVE-2020-14750 and has a CVSS score of 9.8 out of a possible 10, according to the alert.
Following Oracle pushing out the patch, CISA issued its alert about CVE-2020-14750 on Monday, urging government and non-government users of WebLogic Servers to apply the patch as soon as possible.
Oracle released an out-of-band security alert to address a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) November 2, 2020
CVE-2020-14750
Oracle first addressed the vulnerability in its WebLogic Servers product during the company's October security update. At that point, the flaw was tracked as CVE-2020-14882, according to the update.
Due to the severity of the flaw, however, Oracle pushed out an additional fix that addresses concerns about the vulnerability in WebLogic, according to the alert.
CVE-2020-14750 is a remote code execution vulnerability within the WebLogic Server product and can be exploited over a network without the need for a username and password, according to the alert. To exploit the vulnerability, a threat actor would only have to send a malicious HTTP request to the WebLogic Server's management console to initiate the attack.
Once the vulnerability has been exploited, then an attacker can run malicious code within WebLogic Server, according to the alert.
The company's alert notes that several versions of WebLogic Server products are affected by CVE-2020-14750, including 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
"Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," Oracle notes.
Active Exploits
A few days after Oracle announced the original vulnerability in its October security update, researchers noted that proof-of-concept attacks had already appeared and warned the flaw was under active exploit.
Johannes Ullrich, dean of research at the SANS Technology Institute, published a post on Oct. 29 that noted the organization's honeypots had detected internet-wide scans that were looking for potentially unpatched and vulnerable WebLogic Servers.
"At this point, we are seeing the scans slow down a bit," Ullrich noted. "But they have reached 'saturation' meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised."
Other proof-of-concept exploits have also been posted to GitHub.
Security firm Spyse reported that some 3,000 Oracle WebLogic Severs are unpatched for the CVE-2020-14750 vulnerability.
Explore through 3.3k of IP addresses exposed to CVE-2020-14882 (Vulnerability in the Oracle WebLogic Server).
— Spyse (@SpyseHQ) October 28, 2020
Easy #BugBounty pic.twitter.com/vQefXmKt0J
In addition to CVE-2020-14750, CISA has been urging government and non-government organizations to patch for another severe vulnerability dubbed "Zerologon," which affects certain versions of Windows. In this case, a partial fix is available, but Microsoft will only roll out a full patch in the first half of 2021 (see: Agencies Urged to Patch Netlogon Flaw Before Election).