{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-054.pdf"
    },
    "title": "Critical Vulnerability in Oracle WebLogic Server",
    "serial_number": "2020-054",
    "publish_date": "03-11-2020 15:13:00",
    "description": "On the 1st of November 2020, Oracle released an out-of-band patch to address a critical vulnerability (CVSS score 9.8) that has been assigned CVE-2020-14750. According to Oracle, this bug is linked to the vulnerability CVE-2020-14882. However, Oracle did not provide any information about the relation between both of the security flaws. The CVE-2020-14750 vulnerability could allow a non-authenticated attacker to remotely execute arbitrary code on the server",
    "url_title": "2020-054",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Oracle\u00a0WebLogic\u00a0Server'\nversion: '1.0'\nnumber: '2020-054'\ndate: 'November 3, 2020'\n---\n\n_History:_\n\n* _3/11/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 1st of November 2020, Oracle released an out-of-band patch to address a critical vulnerability (**CVSS score 9.8**) that has been assigned **CVE-2020-14750** [1]. According to Oracle, this bug is linked to the vulnerability **CVE-2020-14882** [2]. However, Oracle did not provide any information about the relation between both of the security flaws. The CVE-2020-14750 vulnerability could allow a non-authenticated attacker to remotely execute arbitrary code on the server.\n\n# Technical Details\n\nOracle did not provide any technical information about the vulnerability. However, some sources believe the CVE-2020-14750 patch addresses a bypass of the CVE-2020-14882 patch, released some days ago [3].\n\nAs a reminder, **CVE-2020-14882** vulnerability involves different weaknesses in the way the server handles user-supplied requests. An attacker could send a simple HTTP GET request to exploit the vulnerability, execute code and get full control on the server [4].\n\n# Affected Products\n\nThe vulnerability exists in Oracle WebLogic Server, versions [1]:\n\n- 10.3.6.0.0,\n- 12.1.3.0.0,\n- 12.2.1.3.0,\n- 12.2.1.4.0,\n- 14.1.1.0.0.\n\n# Recommendations\n\nIt is recommended to apply the necessary patches from the October Oracle Critical Patch Update [1] as soon as possible and to look for any indicator of compromised on your network, beginning with firewall logs.\n\n# References\n\n[1] <https://www.oracle.com/security-alerts/alert-cve-2020-14750.html>\n\n[2] <https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-053.pdf>\n\n[3] <https://www.bleepingcomputer.com/news/security/oracle-issues-emergency-patch-for-critical-weblogic-server-flaw/>\n\n[4] <https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>3/11/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 1st of November 2020, Oracle released an out-of-band patch to address a critical vulnerability (<strong>CVSS score 9.8</strong>) that has been assigned <strong>CVE-2020-14750</strong> [1]. According to Oracle, this bug is linked to the vulnerability <strong>CVE-2020-14882</strong> [2]. However, Oracle did not provide any information about the relation between both of the security flaws. The CVE-2020-14750 vulnerability could allow a non-authenticated attacker to remotely execute arbitrary code on the server.</p><h2 id=\"technical-details\">Technical Details</h2><p>Oracle did not provide any technical information about the vulnerability. However, some sources believe the CVE-2020-14750 patch addresses a bypass of the CVE-2020-14882 patch, released some days ago [3].</p><p>As a reminder, <strong>CVE-2020-14882</strong> vulnerability involves different weaknesses in the way the server handles user-supplied requests. An attacker could send a simple HTTP GET request to exploit the vulnerability, execute code and get full control on the server [4].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability exists in Oracle WebLogic Server, versions [1]:</p><ul><li>10.3.6.0.0,</li><li>12.1.3.0.0,</li><li>12.2.1.3.0,</li><li>12.2.1.4.0,</li><li>14.1.1.0.0.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to apply the necessary patches from the October Oracle Critical Patch Update [1] as soon as possible and to look for any indicator of compromised on your network, beginning with firewall logs.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.oracle.com/security-alerts/alert-cve-2020-14750.html\">https://www.oracle.com/security-alerts/alert-cve-2020-14750.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-053.pdf\">https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-053.pdf</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/oracle-issues-emergency-patch-for-critical-weblogic-server-flaw/\">https://www.bleepingcomputer.com/news/security/oracle-issues-emergency-patch-for-critical-weblogic-server-flaw/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf\">https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}