Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.
The vulnerability (CVE-2020-14750) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,” according to Eric Maurice, director of security assurance at Oracle, in a Sunday advisory.
While specific details of the flaw were not disclosed, Oracle’s alert said it exists in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. A potential attack has “low” complexity and no user interaction is required, said Oracle.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0.
— US-CERT (@USCERT_gov) November 2, 2020
Oracle said that the vulnerability “is related to” CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by Oracle in the massive October release of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 18.104.22.168.0, 22.214.171.124.0, 126.96.36.199.0 and 188.8.131.52.0.
Security experts on Twitter have pointed to the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.
#CVE-2020–14882 Weblogic Unauthorized bypass RCE
— Jas502n (@jas502n) October 28, 2020
Upon further analysis of the bypass, “The web application is making an authorization decision based on the requested path but it is doing so without first fully decoding and canonicalizing the path,” said Craig Young, security researcher with Tripwire, in an analysis. “The result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.”
While the patch for CVE-2020-14882 was released during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.
Oracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month. In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the REvil/Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.