[ad_1]
Late last week, Oracle and researchers at the SANS Internet Storm Center (ISC) warned of possible impending attacks on the critical vulnerability CVE-2020-14882 in multiple versions of Oracle’s WebLogic Server. The company had already published patches in the course of its quarterly “Critical Patchday”.
There is now a separate security warning for a very similar critical vulnerability that was not addressed on Patchday. According to Oracle’s newly released Security Alert Advisory on CVE-2020-14750 it is closely related to CVE-2020-14882. In view of the same degree of severity (CVSS score 9.8, “Critical”) and the fact that exploit code should be available on several websites according to the advisory, Oracle recommends applying the available patches immediately.
Unauthenticated remote code execution
As with CVE-2020-14882, remote attackers can use CVE-2020-14750 to execute code remotely without prior authentication (Remote Code Execution). Also the affected versions, namely WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, are identical. The advisory does not provide any further technical details.
As access to the available patches, Oracle links a “Patch Availability Document” in the advisory, which registered users can access via their Oracle account.
Notes on the “predecessor” CVE-2020-14882 can be found here:
(ovw)
[ad_2]