A remote code execution vulnerability in Oracle WebLogic Server has been actively exploited in the wild just one week after a patch was released and one day after a proof of concept was published.Update October 30, 2020: The solutions section has been updated to reflect the disclosure of a potential bypass of the patch for CVE-2020-14882.Update November 2, 2020: The solutions section has been updated to reflect the release of a patch to address the potential bypass of the patch for CVE-2020-14482.

CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Weblogic versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.4.0 & 14.1.1.0.0 suffer from a weakness allowing to bypass authentication and to access the management panel due to a bad character management %252e (".") & %252f ("/").

In some cases, exploiting this vulnerability can lead to the execution of arbitrary code on the server.

Oracle proposes the associated patches on its site to fix the vulnerability.

The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the Oracle Fusion Middleware Console subcomponent. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary commands.

No reliable remote exploit has been published for Oracle WebLogic Server 10.3.6.X or 12.1.3.X, so Nessus will not be able to determine if the remote server is affected or not for these versions.

The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2020 CPU advisory.

  - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with     network access via HTTP can exploit this issue to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)

  - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit     this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)

  - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit     this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can     result in takeover of Oracle WebLogic Server. (CVE-2020-14841)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
112705	Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.4.0 / 14.1.1.0.0 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
142594	Oracle WebLogic Server RCE (CVE-2020-14882)	Nessus	Web Servers	critical
141807	Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)	Nessus	Misc.	critical

Detections

Analytics

CVE-2020-14882

critical

Tenable Plugins

critical

critical

critical