An out-of-band security update was released by Oracle to resolve a crucial issue with remote code execution (CVE-2020-14750) spanning various Oracle WebLogic Server.

Tracked as CVE-2020-14750 and with a CVSS score of 9.8, the security vulnerability is linked to CVE-2020-14882, a Critical Patch Update (CPU) WebLogic Server bug addressed in October 2020 and which was considered to be very easy to exploit.

In fact, attacks targeting CVE-2020-14882 were reported last week, shortly after the proof-of – concept code was released by a Vietnamese researcher.

Oracle credits 20 security advisory organizations and individuals with having provided input that enabled the company to patch up CVE-2020-14750.

Without user interaction, the vulnerability could be exploited by unauthenticated attackers using HTTP.

“It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” reads the advisory published by Oracle.

The company has declined to share further information about the vulnerability but warns that it is already available online to exploit code targeting it.

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle notes.

An alert has already been released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) advising administrators to undertake the necessary updates.

 

Leave a Reply

Your email address will not be published. Required fields are marked *