Oracle rushes out emergency patch for flaw in WebLogic servers

News
By published

First patch could be bypassed by changing a single character in the PoC exploit code

Oracle
(Image credit: Future)

Oracle has released an emergency patch to address a vulnerability in its WebLogic servers after a previous patch could easily be bypassed by an attacker.

The original patch was released as part of the company's October 2020 security updates as a fix for a vulnerability, tracked as CVE-2020-14882, while the new patch, tracked as CVE-2020-14750, adds additional fixes.

If exploited, CVE-2020-14882 can allow an attacker to execute malicious code on one of Oracle's WebLogic servers with elevated privileges before its authentication kicks in. Unfortunately, this vulnerability can be easily exploited by sending a booby-trapped HTTP GET request to the management console of a WebLogic server.

Once Oracle released a patch for the vulnerability, proof-of-concept (PoC) exploit code was made public and cybercriminals have already started using it to launch attacks against vulnerable servers. In fact, the SANS Internet Storm Center (ISC) reported that attackers had already launched attacks against its WebLogic honeypots.

Patching a bad patch

Editor at Risky.Biz Brett Winterford provided further insight on what went wrong with Oracle's initial patch in a tweet, saying:

“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). In Oracle's rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by ... wait for it... changing the case of a character in their request.”

This means that the original patch for CVE-2020-14882 could be bypassed by an attacker simply by changing the case of a single character in the PoC exploit. Once WebLogic servers began being attacked in the wild, Oracle issued a second set of patches to address the vulnerability once and for all.

Organizations running WebLogic servers should install the second patch to protect their devices from both the original vulnerability and its bypass.

Via ZDNet

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.