Oracle rushes out emergency patch for flaw in WebLogic servers


(Image credit: Future)

Oracle has released an emergency patch to address a vulnerability in its WebLogic servers after a previous patch could easily be bypassed by an attacker.

The original patch was released as part of the company’s October 2020 security updates as a fix for a vulnerability, tracked as CVE-2020-14882, while the new patch, tracked as CVE-2020-14750, adds additional fixes.

If exploited, CVE-2020-14882 can allow an attacker to execute malicious code on one of Oracle’s WebLogic servers with elevated privileges before its authentication kicks in. Unfortunately, this vulnerability can be easily exploited by sending a booby-trapped HTTP GET request to the management console of a WebLogic server.

Once Oracle released a patch for the vulnerability, proof-of-concept (PoC) exploit code was made public and cybercriminals have already started using it to launch attacks against vulnerable servers. In fact, the SANS Internet Storm Center (ISC) reported that attackers had already launched attacks against its WebLogic honeypots.

Patching a bad patch

Editor at Risky.Biz Brett Winterford provided further insight on what went wrong with Oracle’s initial patch in a tweet, saying:

“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.”

This means that the original patch for CVE-2020-14882 could be bypassed by an attacker simply by changing the case of a single character in the PoC exploit. Once WebLogic servers began being attacked in the wild, Oracle issued a second set of patches to address the vulnerability once and for all.

Organizations running WebLogic servers should install the second patch to protect their devices from both the original vulnerability and its bypass.

Via ZDNet

November 3, 2020
To Top