HomeTech PlusTECH & OTHER NEWSOracle publishes rare out-of-band security update for WebLogic servers

Oracle publishes rare out-of-band security update for WebLogic servers

Oracle WebLogic

Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.

The new patch (tracked as CVE-2020-14750) adds additional fixes to a first bug (tracked as CVE-2020-14882), originally patched with Oracle’s standard quarterly October 2020 security updates.

CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server’s authentication kicks in.

To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server’s management console.

Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [12345].

As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks against WebLogic honeypots.

But even patched systems were not considered safe.

According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.

The recent attacks and the bypass of the original patch are what drove Oracle to issue a second set of patches on Sunday, in a rare out-of-band security update.

Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.

According to security firm Spyse, more than 3,300 WebLogic servers are currently exposed online and considered to be vulnerable to the original CVE-2020-14882 vulnerability.

Obligatory Simpsons meme:

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS