Oracle has released an emergency patch to address a vulnerability in its WebLogic servers (opens in new tab) after a previous patch could easily be bypassed by an attacker.
The original patch was released as part of the company's October 2020 security updates (opens in new tab) as a fix for a vulnerability, tracked as CVE-2020-14882 (opens in new tab), while the new patch, tracked as CVE-2020-14750 (opens in new tab), adds additional fixes.
If exploited, CVE-2020-14882 can allow an attacker to execute malicious code on one of Oracle's WebLogic servers with elevated privileges before its authentication kicks in. Unfortunately, this vulnerability can be easily exploited by sending a booby-trapped HTTP GET request to the management console of a WebLogic server.
- We've assembled a list of the best antivirus (opens in new tab) software on the market
- Keep your devices virus free with the best malware removal (opens in new tab) software
- Also check out our roundup of the best ransomware protection (opens in new tab)
Once Oracle released a patch for the vulnerability, proof-of-concept (PoC) exploit code was made public and cybercriminals have already started using it to launch attacks against vulnerable servers. In fact, the SANS Internet Storm Center (ISC) reported that attackers had already launched attacks (opens in new tab) against its WebLogic honeypots (opens in new tab).
Patching a bad patch
Editor at Risky.Biz Brett Winterford provided further insight on what went wrong with Oracle's initial patch in a tweet (opens in new tab), saying:
“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). In Oracle's rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by ... wait for it... changing the case of a character in their request.”
This means that the original patch for CVE-2020-14882 could be bypassed by an attacker simply by changing the case of a single character in the PoC exploit. Once WebLogic servers began being attacked in the wild, Oracle (opens in new tab) issued a second set of patches to address the vulnerability once and for all.
Organizations running WebLogic servers should install the second patch to protect their devices from both the original vulnerability and its bypass.
- We've also highlighted the best small business servers (opens in new tab)
Via ZDNet (opens in new tab)