Oracle WebLogic Server vulnerability being exploited
Update 4 November: Oracle has released a patch for CVE-2020-14750, which is an additional fix to the original October patch addressing the CVE-2020-14882 vulnerability covered in this advisory. CVE-2020-14750 is also exploitable from a single GET request and leads to remote code execution. The patch for CVE-2020-14750 is not cumulative so you must first install the patch for CVE-2020-14882.
Oracle’s Security Alert Advisory is available here External Link .
CERT NZ is aware of a critical vulnerability in the Oracle WebLogic Server being actively exploited. The vulnerability, CVE-2020-14882, is remotely exploitable without authentication.
Oracle has released a patch to mitigate this vulnerability. There are conflicting reports about the patch’s effectiveness, so CERT NZ also recommends patching as well as implementing further defence-in-depth mitigations.
Oracle has stated the vulnerability affects users of WebLogic Server versions:
What this means
This vulnerability is exploitable from a single HTTP GET request, which allows for arbitrary commands to be executed in the security context of the WebLogic server.
Attackers are able to exploit these vulnerabilities to run their own code. Previously, similar vulnerabilities have been used to run mining software for cryptocurrency or deploy ransomware.
What to look for
How to tell if you're at risk
You are affected by this vulnerability if you are using WebLogic Server versions:
What to do
Make sure you are using a supported WebLogic server and immediately apply the patches released by Oracle.
In addition to patching, CERT NZ recommends you take additional measures, including:
- planning for out-of-cycle patches
- engaging with Oracle about upcoming patches
- monitoring effectiveness of patches and future bypasses
- implementing defence-in-depth processes such as web app firewalls, and any other controls relevant to your network.
Implement the patches released by Oracle immediately.
If you are running an unsupported version, Oracle recommends upgrading to a supported version as soon as possible.
Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.