PT-2020-4562 · Oracle · Oracle Weblogic Server

Codeplutos

Published

2020-10-21

Updated

2020-10-23

CVE-2020-14825

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0

Description The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via IIOP, T3 protocols to compromise the server. Successful attacks can result in the takeover of Oracle WebLogic Server.

Recommendations For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the IIOP and T3 protocols until a patch is available.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2020-05111

CVE-2020-14825

ZDI-20-1273

ZDI-20-1277

ZDI-20-1282

Affected Products

Oracle Weblogic Server

PT-2020-4562 · Oracle · Oracle Weblogic Server

CVE-2020-14825

Weakness Enumeration

Related Identifiers

Affected Products

References · 9