Warning: Critical Oracle WebLogic flaw actively targeted in attacks, CVE-2020-14750 CVSS 9.8 RCE
CVE-2020-14750 - 9.8 CVSS V3(CRITICAL)
Sources
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
http://www.oracle.com/index.html
Risks
Successful exploitation of this flaw could allow an unauthenticated attacker to execute arbitrary code resulting in a complete compromise of the vulnerable system
Description
The remote code execution (RCE) vulnerability in Oracle WebLogic server assigned CVE - 2020 - 14750 allows a remote attacker to arbitrary execute code on the target system.
According to the vendor, this vulnerability is related to CVE-2020-14882, which was patched in October 2020 and allows a remote attacker to fully compromise an Oracle WebLogic Server without a username and password via a single HTTP get request.
This vulnerability exists due to improper input validation allowing a remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Recommended Actions
CERT.be recommends to System administrators to install the latest updates released by the vendor for the affected versions: https://www.oracle.com/security-alerts/cpuoct2020.html
References
https://www.oracle.com/security-alerts/cpuoct2020.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750