Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.
The new patch (tracked as CVE-2020-14750[1]) adds additional fixes to a first bug (tracked as CVE-2020-14882[2]), originally patched with Oracle's standard quarterly October 2020 security updates[3].
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server's authentication kicks in.
To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server's management console.
Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [1, 2, 3, 4, 5].
As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks[4] against WebLogic honeypots.
But even patched systems were not considered safe.
According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.
The recent attacks and the bypass of the original patch are what drove Oracle to issue a second set of patches on Sunday, in a rare out-of-band security update[5].
Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.
According to security firm Spyse, more than 3,300 WebLogic servers[6] are currently exposed online and considered to be vulnerable to the original CVE-2020-14882 vulnerability.
Obligatory Simpsons meme: