Oracle has issued an out-of-band update to address a critical vulnerability affecting Oracle WebLogic servers. The flaw, tracked as CVE-2020-14750, is related to another WebLogic vulnerability (CVE-2020-14882) patched as part of the October 2020 Critical Patch Update (CPU), which is already being targeted by cybercriminals.
CVE-2020-14750 impacts Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0, and can be exploited remotely without user interaction.
“This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle revealed.
Oracle did not explain how exactly CVE-2020-14750 and CVE-2020-14882 are linked to each other, but it is possible that release of the emergency patch is related to a recently discovered bypass for the CVE-2020-14882 patch.
Due to the severity of the vulnerability Oracle urges organizations to apply the updates as soon as possible. The Cybersecurity and Infrastructure Security Agency (CISA) has also recommended users and admins to patch systems against CVE-2020-14750 to prevent future attacks.