CVE-2020-2555: Oracle’s WebLogic Server Remote Code Execution Vulnerability Alert

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation. Oracle acquired WebLogic Server when it purchased BEA Systems in 2008. In the Oracle Critical Patch Update Advisory – January 2020, Oracle officially fixed a high-risk vulnerability (CVE-2020-2555) that affect to Oracle Coherence library in Oracle WebLogic Server. Researchers show the vulnerability detail.

 

Affected version

  • Oracle Coherence 3.7.1.17
  • Oracle Coherence 12.1.3.0.0
  • Oracle Coherence 12.2.1.3.0
  • Oracle Coherence 12.2.1.4.0

Solution

Oracle releases the patch to fix this vulnerability. Users should upgrade Oracle Coherence as soon as possible. It is recommended that users using Weblogic turn off or disable the T3 protocol to avoid malicious attacks.