Oracle Releases Emergency Patch for Critical WebLogic Bug

Oracle last week patched over 400 vulnerabilities in its products. Among those fixes was released an emergency patch for a critical bug in Oracle WebLogic with ID CVE-2020-14882, which scored 9.8 out of 10 on the CVSS vulnerability rating scale.

This vulnerability is associated with Oracle WebLogic (versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0) and, in fact, allows hacking vulnerable systems using a simple HTTP request GET. Since the problem is extremely easy to operate, PoC exploits have already appeared on the network. Experts warned that hackers had already adopted the vulnerability.

We wrote that honeypots (special traps) created by experts from the SANS Institute have already discovered the first attacks on the vulnerability, since an exploit for CVE-2020-14882 has recently appeared in the public domain.

“Just about a week ago, as part of a massive quarterly “Critical Patch Update” (aka “CPU”), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published”, — according to the researchers from SANS Institute.

Now Oracle engineers were forced to issue an emergency “patch for the patch” because they found that the fix for CVE-2020-14882 could be easily tricked.

The bypass of the patch got its own CVE ID (CVE-2020-14750). According to Adam Boileau, chief security consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed by simply changing the case of one character in the available exploit.

This confirmed technology journalist, former iTnews Group Editor Brett Winterford.

“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). So wait, now there’s two bugs in the WebLogic console (CVE-2020-14882 and CVE-2020-14750), both get you RCE and affect the same versions? In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request”, — wrote Brett Winterford.

Let me remind you that according to information from Spyse analysts, more than 3000 Oracle WebLogic servers are still available on the network and are potentially vulnerable to problems CVE-2020-14882 and CVE-2020-14750.

As a reminder, another Oracle WebLogic exploit was also popular among attackers last year.