Oracle rushes emergency fix for critical web logic


By MYBRANDBOOK


Oracle rushes emergency fix for critical web logic

Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.

 

Additional fixes add that the original patch was released as part of the company's October 2020 security updates as a fix for vulnerability, tracked as CVE-2020-14882, while the new patch, tracked as CVE-2020-14750.

 

CVE-2020-14882, if exploited, can allow an attacker to execute malicious code on one of Oracle's WebLogic servers with elevated privileges before its authentication kicks in.

 

Though, this vulnerability can be easily exploited by sending a booby-trapped HTTP GET request to the management console of a WebLogic server.

 

Once Oracle released a patch for the vulnerability, proof-of-concept (PoC) exploit code was made public and cybercriminals have already started using it to launch attacks against vulnerable servers.

 

In fact, the SANS Internet Storm Center (ISC) reported that attackers had already launched attacks against its WebLogic honeypots.

 

“Oracle tried to fix the path traversal bug in the WebLogic console (CVE-14882) by introducing a patch that blacklisted path traversal. They had good reason to do it in a hurry (attacks already in the wild). In Oracle's rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by ... wait for it... changing the case of a character in their request,” said Brett Winterford, Editor at Risky. Biz in the tweet.

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org