Oracle has addressed a critical Remote Code Execution (RCE) vulnerability in the rare out-of-band patch in numerous versions of Oracle WebLogic Server. The vulnerability is assigned CVE-2020-14750 which has a CVSS base score of 9.8 out of 10 and it is remotely exploitable without any authentication or user interaction. According to Eric Maurice, director of security assurance at Oracle, in a Sunday advisory
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update
CVE-2020-14750 Details :
Specific details of the vulnerability were not disclosed, Oracle’s alert mentions that the flaw exists in the console component of the Oracle WebLogic Server and can be easily exploited via HTTP protocol. Oracle said this vulnerability is related to CVE-2020-14882 which is a similar remote code execution flaw in the console component and can be exploited via a single crafted HTTP request.
As per the Oracle Security Alert Advisory,
It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
This critical vulnerability is given “low” complexity by Oracle. Due to the “low” complexity of the exploit, attackers require no user interaction and no privileges to exploit the vulnerability. The vulnerability tracked as CVE-2020-14750 was addressed in Sunday’s Oracle Advisory, researchers believe it to be a patch bypass for CVE-2020-14882 CVEs fix.
There is already a patch bypass for CVE-2020-14882 being shared on the internet.
The original patch adds an IllegalUrl blocklist that is easily bypassed by simply changing the case of the input string or using various forms of double encoding. As per Rapid7 researchers below are the details of code which has gone through variation.
In the latest patch, developer has replaced the blocklist with allowlist, and this appears to be a good approach.
We urge users of Oracle WebLogic Server to update their server’s at the earliest.
Affected Oracle WebLogic Versions :
This issue allows attackers to execute arbitrary code on the affected system.
SanerNow security content has been published to detect this vulnerability. Oracle has already released a security update this month and these patches are available only for Oracle customers. Please be advised to download the patch from the Oracle portal and install it. SanerNow software deployment capability can be used to install executable/scripts.