Security News > 2020 > November > Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password'
The security alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.
"This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password," Oracle said in a security alert.
Big Red said the patch should be applied to Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
"It affects the Weblogic server where the admin console is on the open internet which is extremely bad practice. you'd expose managed servers, not the admin server on the open internet."
He advised users not to allow WebLogic Console access via open internet and to use a proxy server as a gateway between WLS server and the internet, configuring WebLogic Connection filters to accept connections from trusted hosts only.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/11/03/oracle_weblogic_server_rce_patch/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-11-02 | CVE-2020-14750 | Unspecified vulnerability in Oracle Fusion Middleware Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). | 7.5 |
2020-10-21 | CVE-2020-14882 | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). | 10.0 |