As seen in The Register on 3 November 2020

Oracle has released an emergency patch after a security vulnerability was revealed in its WebLogic middleware last week.

The security alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.

“This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password,” Oracle said in a security alert.

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

Big Red said the patch should be applied to Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.

The patch is designed to address the flaw revealed last week by Johannes Ullrich, dean of research at the SANS Technology Institute. He spotted a massive spike in traffic on research “honeypot” systems as somebody tried to identify public-facing WebLogic servers that weren’t patched against CVE-2020-14882. The flaw, with a CVSS score of 9.8, is an “easily exploitable vulnerability” in the application’s console that can be targeted over HTTP without user interaction to execute code remotely.

“If you find a vulnerable server in your network, assume it has been compromised,” Ullrich said.

Martin Biggs, vice president and general manager with Oracle and SAP support specialist Spinnaker Support, said the attack exploited authentication functions that were “not originally coded to a high standard, allowing a double encoding attack vulnerability”.

However, the problem was only likely to apply to those taking a high-risk approach to middleware architecture, he added.

“It affects the Weblogic server where the admin console is on the open internet which is extremely bad practice. [If you did that] you’d expose managed servers, not the admin server on the open internet.”

He advised users not to allow WebLogic Console access via open internet and to use a proxy server as a gateway between WLS server and the internet, configuring WebLogic Connection filters to accept connections from trusted hosts only.

Still, it will be an embarrassment for Oracle to have to issue the patch after its mega quarterly update, which issued 402 fixes. Whoops. Seems like you missed one, Larry.