{"id":41510,"date":"2020-11-03T10:58:58","date_gmt":"2020-11-03T10:58:58","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=0ed1156bc5ff37aeb8625dd14a180f6d"},"modified":"2020-11-03T10:58:58","modified_gmt":"2020-11-03T10:58:58","slug":"oracle-releases-emergency-weblogic-server-patch-to-fix-rce-flaw","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/oracle-releases-emergency-weblogic-server-patch-to-fix-rce-flaw\/","title":{"rendered":"Oracle releases emergency WebLogic Server patch to fix RCE flaw"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/rene-millman\">Rene Millman<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">3 Nov, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p>Oracle has been forced to issue an\u00a0out-of-band patch to fix a critical remote code execution (RCE) flaw affecting multiple Oracle WebLogic Server versions.<\/p>\n<p>The vulnerability, tracked as CVE-2020-14750, could enable hackers to remotely exploit the server via an HTTP GET through the server&#8217;s console component, without any user interaction and may be exploited over a network without the need for a username and password.<\/p>\n<p><!--wysiwyg_see-related_plugin--><\/p>\n<p>\n&#8220;Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,\u201d Oracle explained in an <a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2020-14750.html%C2%A0\">https:\/\/www.oracle.com\/security-alerts\/alert-cve-2020-14750.html\u00a0<\/a><a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2020-14750.html\">advisory<\/a>.<\/p>\n<p>The advisory said that the supported Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.<\/p>\n<p>Proof-of-concept code that could exploit the bug was made public on\u00a0<a href=\"https:\/\/github.com\/jas502n\/CVE-2020-14882\">GitHub<\/a>. According to security firm\u00a0<a href=\"https:\/\/twitter.com\/SpyseHQ\/status\/1321551194549112832\">Spyse<\/a>, around 3,300 WebLogic servers are exposed at the moment and could be vulnerable to the flaw.<\/p>\n<p>In a\u00a0<a href=\"https:\/\/blogs.oracle.com\/security\/security-alert-cve-2020-14750-released\">blog post,<\/a>\u00a0Eric Maurice, director of Security Assurance at Oracle, shared a\u00a0<a href=\"https:\/\/docs.oracle.com\/en\/middleware\/standalone\/weblogic-server\/14.1.1.0\/lockd\/secure.html#GUID-8C0CC8CF-3D16-4DC1-BF54-1C1B17D2CEF8\">link<\/a>\u00a0to help users harden affected servers.<\/p>\n<p>He also said that the vulnerability is related to CVE-2020-14882, which was addressed in the\u00a0<a href=\"https:\/\/www.oracle.com\/security-alerts\/cpuoct2020.html\">October 2020 Critical Patch Update.<\/a>\u00a0That particular flaw could enable hackers network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.<\/p>\n<p>The US Cybersecurity and Infrastructure Security Agency (CISA) also\u00a0<a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2020\/11\/02\/oracle-releases-out-band-security-alert\">warned<\/a>\u00a0users about the dangers of the vulnerability and encouraged administrators to apply the patch as soon as possible.\u00a0 <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Rene Millman<\/p>\n<p>        3 Nov, 2020    <\/p>\n<p>      Oracle has been forced to issue an\u00a0out-of-band patch to fix a critical remote code execution (RCE) flaw affecting multiple Oracle WebLogic Server versions.<br \/>\nThe vulnerability, tracked as CVE-2020-&#8230;<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41510","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41510"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41510\/revisions"}],"predecessor-version":[{"id":41511,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41510\/revisions\/41511"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}