Oracle has released an emergency patch for a trivially exploited vulnerability in its WebLogic Server product, a bug that is closely tied to a second vulnerability in WebLogic that has been actively exploited for several weeks now.
The newly patched flaw is CVE-2020-14750 and it can allow an unauthenticated remote attacker to gain control of a vulnerable instance of WebLogic, Oracle’s application server. Oracle warned that enterprises should apply the fix as quickly as possible, given that there is exploit code available for it already.
“This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” the Oracle advisory says.
CVE-2020-14882 is a similar bug, which Oracle patched in its October security update release and is known to be under active attack. Security researchers began seeing attacks against that vulnerability at the end of October, and many of the attacks were using exploit code that had been published a few days earlier by a researcher in Vietnam. Both CVE-2020-14882 and CVE-2020-14750 allow remote code execution and neither one requires authentication, making them easy targets for attackers.
“Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds,” Bob Rudis, chief data scientist at Rapid7, said in a post on CVE-2020-14882.
“Organizations running Oracle WebLogic Server should patch as quickly as possible. Those that are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well advised to break that cycle in favor of patching as soon as they can.”
The same advice holds true for organizations vulnerable to CVE-2020-14750, which affects versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0 of Oracle WebLogic.