CVE-2020-14882: Weblogic Console Remote Code Execution Vulnerability (Patch Bypass) Alert
Recently, we detected that the latest patch of CVE-2020-14882, Oracle Weblogic Console Remote Code Execution vulnerability can be bypassed. The vulnerability level is critical. The CVSS 3.1 Base Score is 9.8. Oracle fixed this vulnerability. However, with the latest Oracle patch installed on Weblogic, remote attackers can still construct special HTTP requests to take over WebLogic Server without authentication.
A remote attacker can construct a special HTTP request and take over the WebLogic Server Console without authentication, and execute arbitrary code in the WebLogic Server Console.
Affected version
Oracle Weblogic:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 14.1.1.0.0
Solution
In this regard, we recommend that the users temporarily close the Weblogic background /console/console.portal external access authority.
Via: cnblogs
