WebLogic Remote Code Execution Vulnerabilities (CVE-2020-2551 and CVE-2020-2546)
Jan 17, 2020 GMT+08:00
Oracle officially released a patch update notice and disclosed a few high-risk vulnerabilities, including two RCE vulnerabilities (CVE-2020-2546 and CVE-2020-2551) on WebLogic server. CVE-2020-2546: Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server and implement RCE. CVE-2020-2551: Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
Therefore, we kindly remind WebLogic users to arrange self-check and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
IV. Vulnerability Handling
1. Patch upgrade: This vulnerability has been fixed in the officially released patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.
2. Workaround: Disable the T3 and IIOP protocols to mitigate the vulnerability.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.