Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.
The new patch (tracked as CVE-2020-14750) adds additional fixes to a first bug (tracked as CVE-2020-14882), originally patched with Oracle’s standard quarterly October 2020 security updates.
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server’s authentication kicks in.
To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server’s management console.
Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [1, 2, 3, 4, 5].
As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks against WebLogic honeypots.
But even patched systems were not considered safe.
According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.
In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020
The recent attacks and the bypass of the original patch are what drove Oracle to issue a second set of patches on Sunday, in a rare out-of-band security update.
Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.
According to security firm Spyse, more than 3,300 WebLogic servers are currently exposed online and considered to be vulnerable to the original CVE-2020-14882 vulnerability.
Obligatory Simpsons meme: