Oracle WebLogic Server vulnerability being exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:15pm, 30 October 2020

TLP Rating: Clear

Oracle WebLogic Server vulnerability being exploited

Update 4 November:  Oracle has released a patch for CVE-2020-14750, which is an additional fix to the original October patch addressing the CVE-2020-14882 vulnerability covered in this advisory. CVE-2020-14750 is also exploitable from a single GET request and leads to remote code execution. The patch for CVE-2020-14750 is not cumulative so you must first install the patch for CVE-2020-14882.

Oracle’s Security Alert Advisory is available here External Link .

--

CERT NZ is aware of a critical vulnerability in the Oracle WebLogic Server being actively exploited. The vulnerability, CVE-2020-14882, is remotely exploitable without authentication.

Oracle has released a patch to mitigate this vulnerability. There are conflicting reports about the patch’s effectiveness, so CERT NZ also recommends patching as well as implementing further defence-in-depth mitigations.

What's happening

Systems affected

Oracle has stated the vulnerability affects users of WebLogic Server versions:

• 10.3.6.0.0

• 12.1.3.0.0

• 12.2.1.3.0

• 12.2.1.4.0

• 14.1.1.0.0

What this means

This vulnerability is exploitable from a single HTTP GET request, which allows for arbitrary commands to be executed in the security context of the WebLogic server.

Attackers are able to exploit these vulnerabilities to run their own code. Previously, similar vulnerabilities have been used to run mining software for cryptocurrency or deploy ransomware.

What to look for

How to tell if you're at risk

You are affected by this vulnerability if you are using WebLogic Server versions:

• 10.3.6.0.0

• 12.1.3.0.0

• 12.2.1.3.0

• 12.2.1.4.0

• 14.1.1.0.0

What to do

Prevention

Make sure you are using a supported WebLogic server and immediately apply the patches released by Oracle.  

In addition to patching, CERT NZ recommends you take additional measures, including:

  • planning for out-of-cycle patches
  • engaging with Oracle about upcoming patches
  • monitoring effectiveness of patches and future bypasses
  • implementing defence-in-depth processes such as web app firewalls, and any other controls relevant to your network.

Mitigation

Implement the patches released by Oracle immediately.

If you are running an unsupported version, Oracle recommends upgrading to a supported version as soon as possible.

Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.

Oracle’s advisory containing the CVE-2020-14882 vulnerability External Link

More information

Oracle’s advisory containing the CVE-2020-14882 vulnerability External Link

CERT NZ's Top 10 Critical Controls 2020

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.