I. Overview

Oracle officially released a patch update notice and disclosed a few high-risk vulnerabilities, including two RCE vulnerabilities (CVE-2020-2546 and CVE-2020-2551) on WebLogic server. CVE-2020-2546: Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server and implement RCE. CVE-2020-2551: Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

Therefore, we kindly remind WebLogic users to arrange self-check and implement timely security hardening.

Reference links:

https://www.oracle.com/security-alerts/cpujan2020.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

IV. Vulnerability Handling

1. Patch upgrade: This vulnerability has been fixed in the officially released patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.

2. Workaround: Disable the T3 and IIOP protocols to mitigate the vulnerability.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.