Headline
CVE-2020-14750: Oracle Security Alert - CVE-2020-14750
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- Click to view our Accessibility Policy
- Skip to content
Description
This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Security Alert Supported Products and Versions
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- CVRF XML version of the risk matrices
- Map of CVE to Advisory/Alert
- Software Error Correction Support Policy
- Oracle Lifetime support Policy
- JEP 290 Reference Blocklist Filter
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
- 360QUAKE TEAM: CVE-2020-14750
- Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp): CVE-2020-14750
- codeplutos of AntGroup FG Security Lab: CVE-2020-14750
- f1v3 jacky: CVE-2020-14750
- Hoang Quoc Thinh of RedTeam (VNG Corp): CVE-2020-14750
- Huang Xiaopeng of 360CERT at QiHu360: CVE-2020-14750
- icez of Tophant Competence Center: CVE-2020-14750
- Jacky Xing of Dbappsecurity Team: CVE-2020-14750
- Maoxin Lin of Dbappsecurity Team: CVE-2020-14750
- mayoterry of Qingteng 73Lab Security Team: CVE-2020-14750
- ph4nt0mer: CVE-2020-14750
- r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14750
- Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14750
- tcc: CVE-2020-14750
- Tonghua Root: CVE-2020-14750
- voidfyoo of Chaitin Security Research Lab: CVE-2020-14750
- Xianglai Liu of Dbappsecurity Team: CVE-2020-14750
- Yu Wang of BMH Security Team: CVE-2020-14750
- Yuxuan Chen: CVE-2020-14750
- Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14750
Modification History
Date
Note
2020-November-6
Rev 2. Credit update.
2020-November-1
Rev 1. Initial Release.
Oracle Fusion Middleware Risk Matrix
This Security Alert contains 1 new security patch for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Security Alert CVE-2020-14750 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Security Alert CVE-2020-14750 Patch Availability Document for Oracle Products, My Oracle Support Note 2724951.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14750
Oracle WebLogic Server
Console
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
News
Oracle CloudWorld
Oracle Supports Ukraine
Oracle Red Bull Racing
Oracle Sustainability
Employee Experience Platform
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube
Related news
By Deeba Ahmed The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023. “Persistence is achieved via timed processors or entries to cron,” said Dr.
The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).