Two critical vulnerabilities identified in the Oracle WebLogic Server may allow attackers to take complete control of the server. As Oracle released patches for these vulnerabilities in October 2020 and advised users to install the latest security updates without any delay, Invicti also released an update for Invicti Standard and Enterprise so you can check if these critical vulnerabilities affect your server.
Oracle WebLogic Server is an application server to develop, deploy, and run enterprise applications using Java Platform Enterprise Edition (Java EE). As it is a leading industry solution, WebLogic Servers often face attacks for various reasons, such as mining cryptocurrency. Oracle regularly releases updates to patch any identified vulnerabilities in WebLogic Server. In October 2020, the company released a critical patch update to address critical WebLogic Server vulnerabilities: CVE-2020-14882 and CVE-2020-14883.
Dangerous and Easily Exploitable
CVE-2020-14882 is a remote code execution weakness in the Console component of Oracle WebLogic servers. A dangerous and easily exploitable vulnerability, the weakness allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server. Successful exploitation can result in takeover of Oracle WebLogic Server. The vulnerability affects the console component of Oracle WebLogic Server versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0.
To exploit CVE-2020-14882, an attacker just needs to send an HTTP GET request to the WebLogic Server management console. As of October 28th, a search on Spyse showed more than 3,300 WebLogic servers exposed online and regarded as vulnerable to CVE-2020-14882.
CVE-2020-14883 is another dangerous and easily exploitable vulnerability that allows a high-privileged attacker with network access via HTTP to compromise the Oracle WebLogic Server. Successful exploitation can result in takeover of Oracle WebLogic Server. Affected versions are 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0, and 18.104.22.168.0.
Out-of-Band Security Update
Following the October updates, it was assumed that CVE-2020-14882 had been patched. However, it turned out that the update did not really patch the vulnerability, as security researchers and social media users pointed out that attackers still exploit this vulnerability. So, Oracle issued an out-of-band security update in order to address the vulnerability. The security vulnerability is tracked as CVE-2020-14750 and received a 9.8 severity base score from Oracle, out of 10.
Users and administrators are advised to install the latest security updates without any delay.
Scan Your Web Application Automatically
The latest version of the Invicti web application security scanner will automatically identify if your web application is vulnerable to these vulnerabilities in the Oracle WebLogic Server.
When Invicti identifies these dangerous issues, it also automatically confirms them, thereby ensuring they are not false positives. Invicti also allows users to manually exploit the vulnerability.
Updating Invicti Web Application Security Scanner
If you are using Invicti Standard, when launched, it will automatically check for updates and prompt you to download the latest update. Alternatively, launch the program and click Check for Updates from the Help drop-down menu.
Invicti Enterprise is updated automatically, so you do not have to perform any manual update steps.