Very High
CVE-2020-14750 — Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-14750 — Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-2020-14750 appears to be the patch bypass for CVE-2020-14882. Please see CVE-2020-14882’s Rapid7 analysis for more information. The CVE-2020-14750 patch is reproduced below.
--- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 13:13:28.000000000 -0600 +++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 12:11:01.000000000 -0600 @@ -2,6 +2,7 @@ import com.bea.netuix.servlets.manager.SingleFileServlet; import java.io.IOException; +import java.util.List; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -20,8 +21,6 @@ private static final long serialVersionUID = 1L; - private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" }; - public static void initMBean() { MBeanUtilsInitializer.initMBeanAsynchronously(); } @@ -39,8 +38,9 @@ if (req instanceof HttpServletRequest) { HttpServletRequest httpServletRequest = (HttpServletRequest)req; String url = httpServletRequest.getRequestURI(); - for (int i = 0; i < IllegalUrl.length; i++) { - if (url.contains(IllegalUrl[i])) { + if (!ConsoleUtils.isUserAuthenticated(httpServletRequest)) + throw new ServletException("User not authenticated."); + if (!isValidUrl(url, httpServletRequest)) { if (resp instanceof HttpServletResponse) { LOG.error("Invalid request URL detected. "); HttpServletResponse httpServletResponse = (HttpServletResponse)resp; @@ -49,7 +49,6 @@ return; } } - } try { super.service(req, resp); } catch (IllegalStateException e) { @@ -60,4 +59,15 @@ LOG.debug(e); } } + + private boolean isValidUrl(String url, HttpServletRequest req) { + String consoleContextPath = ConsoleUtils.getConsoleContextPath(); + List<String> portalList = ConsoleUtils.getConsolePortalList(); + for (String portal : portalList) { + String tmp = "/" + consoleContextPath + portal; + if (url.equals(tmp)) + return true; + } + return false; + } }
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- oracle
Products
- fusion middleware 10.3.6.0,
- fusion middleware 12.1.3.0,
- fusion middleware 12.2.1.3.0,
- fusion middleware 12.2.1.4.0,
- fusion middleware 14.1.1.0.0
Exploited in the Wild
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://documents.trendmicro.com/assets/pdf/Technical-Brief---Tracking-CVE-2021-26084-and-Other-Server-based-Vulnerability-Exploits-via-Trend-Micro-Cloud-One-and-Trend-Micro-Vision-One.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: