{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-053.pdf"
    },
    "title": "Critical Vulnerability in Oracle WebLogic Server",
    "serial_number": "2020-053",
    "publish_date": "30-10-2020 16:38:00",
    "description": "In October, within the monthly Critical Patch Update Advisory addressing hundreds of vulnerabilities, Oracle released an update about a critical vulnerability affecting WebLogic Server. This vulnerability may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers. This bug has been assigned CVE-2020-14882 and has a CVSS score of 9.8 and is now being reported as being exploited in the wild.",
    "url_title": "2020-053",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Oracle\u00a0WebLogic\u00a0Server'\nversion: '1.0'\nnumber: '2020-053'\ndate: 'October 30, 2020'\n---\n\n_History:_\n\n* _30/10/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nIn October, within the monthly Critical Patch Update Advisory addressing hundreds of vulnerabilities [1], Oracle released an update about a **critical vulnerability affecting WebLogic Server**. This vulnerability may allow **unauthenticated attackers** with network access via HTTP to achieve **total compromise and takeover** of vulnerable Oracle WebLogic Servers [2]. This bug has been assigned **CVE-2020-14882** and has a **CVSS score of 9.8** and is now being reported as being **exploited in the wild** [3].\n\n# Technical Details\n\nThe bug involves different weaknesses in the way the server handles user-supplied requests. An attacker could send a simple HTTP GET request to exploit the vulnerability, execute code and get full control on the server [4].\n\nTo address this vulnerability, a patch has been released by Oracle in October 2020. **This vulnerability is now reported to be under active exploitation** [5].\n\n# Affected Products\n\nThe vulnerability exists in Oracle WebLogic Server, versions [1]:\n\n- 10.3.6.0.0,\n- 12.1.3.0.0,\n- 12.2.1.3.0,\n- 12.2.1.4.0,\n- 14.1.1.0.0.\n\n# Recommendations\n\nIt is recommended to apply the necessary patches from the October Oracle Critical Patch Update [1] as soon as possible and to look for any indicator of compromised on your network, beginning with firewall logs.\n\n## Detection of Exploitation\n\nThe following strings in GET requests could be an indication of successful exploitation [5]:\n\n- `/console/images/%252E%252E%252Fconsole.portal`\n- `/console/css/%252E%252E%252Fconsole.portal`\n\n# References\n\n[1] <https://www.oracle.com/security-alerts/cpuoct2020.html>\n\n[2] <https://www.helpnetsecurity.com/2020/10/29/cve-2020-14882/>\n\n[3] <https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-targeted-in-attacks/>\n\n[4] <https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf>\n\n[5] <https://isc.sans.edu/diary/rss/26734>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>30/10/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>In October, within the monthly Critical Patch Update Advisory addressing hundreds of vulnerabilities [1], Oracle released an update about a <strong>critical vulnerability affecting WebLogic Server</strong>. This vulnerability may allow <strong>unauthenticated attackers</strong> with network access via HTTP to achieve <strong>total compromise and takeover</strong> of vulnerable Oracle WebLogic Servers [2]. This bug has been assigned <strong>CVE-2020-14882</strong> and has a <strong>CVSS score of 9.8</strong> and is now being reported as being <strong>exploited in the wild</strong> [3].</p><h2 id=\"technical-details\">Technical Details</h2><p>The bug involves different weaknesses in the way the server handles user-supplied requests. An attacker could send a simple HTTP GET request to exploit the vulnerability, execute code and get full control on the server [4].</p><p>To address this vulnerability, a patch has been released by Oracle in October 2020. <strong>This vulnerability is now reported to be under active exploitation</strong> [5].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability exists in Oracle WebLogic Server, versions [1]:</p><ul><li>10.3.6.0.0,</li><li>12.1.3.0.0,</li><li>12.2.1.3.0,</li><li>12.2.1.4.0,</li><li>14.1.1.0.0.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to apply the necessary patches from the October Oracle Critical Patch Update [1] as soon as possible and to look for any indicator of compromised on your network, beginning with firewall logs.</p><h3 id=\"detection-of-exploitation\">Detection of Exploitation</h3><p>The following strings in GET requests could be an indication of successful exploitation [5]:</p><ul><li><code>/console/images/%252E%252E%252Fconsole.portal</code></li><li><code>/console/css/%252E%252E%252Fconsole.portal</code></li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.oracle.com/security-alerts/cpuoct2020.html\">https://www.oracle.com/security-alerts/cpuoct2020.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.helpnetsecurity.com/2020/10/29/cve-2020-14882/\">https://www.helpnetsecurity.com/2020/10/29/cve-2020-14882/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-targeted-in-attacks/\">https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-targeted-in-attacks/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf\">https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://isc.sans.edu/diary/rss/26734\">https://isc.sans.edu/diary/rss/26734</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}