4:15pm, 30 Oct 2020
TLP Rating: White
Oracle WebLogic Server vulnerability being exploited
Update 4 November: Oracle has released a patch for CVE-2020-14750, which is an additional fix to the original October patch addressing the CVE-2020-14882 vulnerability covered in this advisory. CVE-2020-14750 is also exploitable from a single GET request and leads to remote code execution. The patch for CVE-2020-14750 is not cumulative so you must first install the patch for CVE-2020-14882.
Oracle’s Security Alert Advisory is available here External Link .
CERT NZ is aware of a critical vulnerability in the Oracle WebLogic Server being actively exploited. The vulnerability, CVE-2020-14882, is remotely exploitable without authentication.
Oracle has released a patch to mitigate this vulnerability. There are conflicting reports about the patch’s effectiveness, so CERT NZ also recommends patching as well as implementing further defence-in-depth mitigations.