Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-14750 — Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability

Disclosure Date: November 02, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Add Assessment

5
Ratings
Technical Analysis

CVE-2020-14750 appears to be the patch bypass for CVE-2020-14882. Please see CVE-2020-14882’s Rapid7 analysis for more information. The CVE-2020-14750 patch is reproduced below.

--- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 13:13:28.000000000 -0600
+++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java	2020-11-02 12:11:01.000000000 -0600
@@ -2,6 +2,7 @@
 
 import com.bea.netuix.servlets.manager.SingleFileServlet;
 import java.io.IOException;
+import java.util.List;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
@@ -20,8 +21,6 @@
   
   private static final long serialVersionUID = 1L;
   
-  private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" };
-  
   public static void initMBean() {
     MBeanUtilsInitializer.initMBeanAsynchronously();
   }
@@ -39,8 +38,9 @@
     if (req instanceof HttpServletRequest) {
       HttpServletRequest httpServletRequest = (HttpServletRequest)req;
       String url = httpServletRequest.getRequestURI();
-      for (int i = 0; i < IllegalUrl.length; i++) {
-        if (url.contains(IllegalUrl[i])) {
+      if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))
+        throw new ServletException("User not authenticated."); 
+      if (!isValidUrl(url, httpServletRequest)) {
           if (resp instanceof HttpServletResponse) {
             LOG.error("Invalid request URL detected. ");
             HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
@@ -49,7 +49,6 @@
           return;
         } 
       } 
-    } 
     try {
       super.service(req, resp);
     } catch (IllegalStateException e) {
@@ -60,4 +59,15 @@
         LOG.debug(e); 
     } 
   }
+  
+  private boolean isValidUrl(String url, HttpServletRequest req) {
+    String consoleContextPath = ConsoleUtils.getConsoleContextPath();
+    List<String> portalList = ConsoleUtils.getConsolePortalList();
+    for (String portal : portalList) {
+      String tmp = "/" + consoleContextPath + portal;
+      if (url.equals(tmp))
+        return true; 
+    } 
+    return false;
+  }
 }
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • oracle

Products

  • fusion middleware 10.3.6.0,
  • fusion middleware 12.1.3.0,
  • fusion middleware 12.2.1.3.0,
  • fusion middleware 12.2.1.4.0,
  • fusion middleware 14.1.1.0.0
Technical Analysis