We wrote that honeypots (special traps) created by experts from the SANS Institute have already discovered the first attacks on the vulnerability, since an exploit for CVE-2020-14882 has recently appeared in the public domain.
“Just about a week ago, as part of a massive quarterly “Critical Patch Update” (aka “CPU”), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published”, — according to the researchers from SANS Institute.
Now Oracle engineers were forced to issue an emergency “patch for the patch” because they found that the fix for CVE-2020-14882 could be easily tricked.
The bypass of the patch got its own CVE ID (CVE-2020-14750). According to Adam Boileau, chief security consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed by simply changing the case of one character in the available exploit.
This confirmed technology journalist, former iTnews Group Editor Brett Winterford.
“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). So wait, now there’s two bugs in the WebLogic console (CVE-2020-14882 and CVE-2020-14750), both get you RCE and affect the same versions? In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request”, — wrote Brett Winterford.
Let me remind you that according to information from Spyse analysts, more than 3000 Oracle WebLogic servers are still available on the network and are potentially vulnerable to problems CVE-2020-14882 and CVE-2020-14750.
As a reminder, another Oracle WebLogic exploit was also popular among attackers last year.
Netsmediashub.com is a domain that tries to force you into clik to its browser notifications…
News-bhexusa.xyz is a domain that tries to trick you into clik to its browser notifications…
News-bhupotu.xyz is a domain that tries to trick you into subscribing to its browser notifications…
News-bhocime.info is a site that tries to trick you into subscribing to its browser notifications…
You-hub.online is a site that tries to force you into clik to its browser notifications…
News-bhecudu.live is a domain that tries to force you into clik to its browser notifications…