Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
oracle weblogic server 12.1.3.0.0 |
||
oracle weblogic server 10.3.6.0.0 |
||
oracle weblogic server 12.2.1.3.0 |
||
oracle weblogic server 12.2.1.4.0 |
||
oracle weblogic server 14.1.1.0.0 |
D'oh! If only they'd seen bug before issuing those 402 other fixes If you haven't patched WebLogic server console flaws in the last eight days 'assume it has been compromised'
Oracle has released an emergency patch after a security vulnerability was revealed in its WebLogic middleware last week. The security alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. "This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password," Oracle said in a secu...
Stark warning from SANS' Johannes Ullrich - RCE's gonna GET 'ya How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes
Last week Oracle released one of its mammoth quarterly patch dumps - with 402 fixes. Well, it turns out that if you missed one and you're running WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, you've probably already been tagged by hackers. On Thursday Johannes Ullrich, Dean of Research at the SANS Technology Institute, spotted a massive spike in traffic on research "honeypot" systems as somebody tried to identify public-facing WebLogic servers that weren't patched again...