CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Recent assessments:
wvu-r7 at November 02, 2020 10:26pm UTC reported:
CVE-2020-14750 appears to be the patch bypass for CVE-2020-14882. Please see CVE-2020-14882’s Rapid7 analysis for more information. The CVE-2020-14750 patch is reproduced below.
--- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 13:13:28.000000000 -0600
+++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java 2020-11-02 12:11:01.000000000 -0600
@@ -2,6 +2,7 @@
import com.bea.netuix.servlets.manager.SingleFileServlet;
import java.io.IOException;
+import java.util.List;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
@@ -20,8 +21,6 @@
private static final long serialVersionUID = 1L;
- private static final String[] IllegalUrl = new String[] { ";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">" };
-
public static void initMBean() {
MBeanUtilsInitializer.initMBeanAsynchronously();
}
@@ -39,8 +38,9 @@
if (req instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest)req;
String url = httpServletRequest.getRequestURI();
- for (int i = 0; i < IllegalUrl.length; i++) {
- if (url.contains(IllegalUrl[i])) {
+ if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))
+ throw new ServletException("User not authenticated.");
+ if (!isValidUrl(url, httpServletRequest)) {
if (resp instanceof HttpServletResponse) {
LOG.error("Invalid request URL detected. ");
HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
@@ -49,7 +49,6 @@
return;
}
}
- }
try {
super.service(req, resp);
} catch (IllegalStateException e) {
@@ -60,4 +59,15 @@
LOG.debug(e);
}
}
+
+ private boolean isValidUrl(String url, HttpServletRequest req) {
+ String consoleContextPath = ConsoleUtils.getConsoleContextPath();
+ List<String> portalList = ConsoleUtils.getConsolePortalList();
+ for (String portal : portalList) {
+ String tmp = "/" + consoleContextPath + portal;
+ if (url.equals(tmp))
+ return true;
+ }
+ return false;
+ }
}
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750
www.oracle.com/security-alerts/alert-cve-2020-14750.html
www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMWl
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%