Security News > 2020 > November > Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password'

Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password'
2020-11-03 14:12

The security alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.

"This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password," Oracle said in a security alert.

Big Red said the patch should be applied to Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.

"It affects the Weblogic server where the admin console is on the open internet which is extremely bad practice. you'd expose managed servers, not the admin server on the open internet."

He advised users not to allow WebLogic Console access via open internet and to use a proxy server as a gateway between WLS server and the internet, configuring WebLogic Connection filters to accept connections from trusted hosts only.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/03/oracle_weblogic_server_rce_patch/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-02 CVE-2020-14750 Unspecified vulnerability in Oracle Fusion Middleware
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console).
network
low complexity
oracle
critical
 9.8
9.8
2020-10-21 CVE-2020-14882 Unspecified vulnerability in Oracle Weblogic Server
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console).
network
low complexity
oracle
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Oracle 781 388 3148 2078 432 6046