4:15pm, 30 Oct 2020

TLP Rating: White

Oracle WebLogic Server vulnerability being exploited

Update 4 November:  Oracle has released a patch for CVE-2020-14750, which is an additional fix to the original October patch addressing the CVE-2020-14882 vulnerability covered in this advisory. CVE-2020-14750 is also exploitable from a single GET request and leads to remote code execution. The patch for CVE-2020-14750 is not cumulative so you must first install the patch for CVE-2020-14882.

Oracle’s Security Alert Advisory is available here External Link .

--

CERT NZ is aware of a critical vulnerability in the Oracle WebLogic Server being actively exploited. The vulnerability, CVE-2020-14882, is remotely exploitable without authentication.

Oracle has released a patch to mitigate this vulnerability. There are conflicting reports about the patch’s effectiveness, so CERT NZ also recommends patching as well as implementing further defence-in-depth mitigations.