Service Notices
Oracle WebLogic Remote Code Execution Vulnerabilities
Jul 23, 2020 GMT+08:00
I. Overview
Oracle has recently released the quarterly security bulletins and disclosed security vulnerabilities in multiple products, including multiple high-risk WebLogic vulnerabilities (CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, CVE-2020-14687, CVE-2017-5645 and CVE-2020-14588). The CVE-2020-14625, CVE-2020-14644, CVE-2020-14645 and CVE-2020-14687 vulnerabilities are related to T3 and IIOP protocols. Attackers can exploit this vulnerability to remotely obtain privileges on WebLogic servers, bringing high security risks.
If you are using WebLogic and other Oracle products, check your services and implement timely security hardening.
Reference link:
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle's security bulletins for this quarter released 443 security vulnerability patches, involving Oracle Weblogic, Oracle Coherence, Oracle BI Publisher, Oracle Endeca Information Discovery Studio, and Oracle Business Intelligence Enterprise Edition. For details about the vulnerabilities and patches, visit the reference link.
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Vulnerability Description
CVE ID | Affected Component | Severity | Affected Version |
CVE-2020-9546 | Centralized Thirdparty Jars (jackson-databind) | Important | 12.2.1.3.0, 12.2.1.4.0 |
CVE-2018-11058 | Security Service (RSA BSAFE) | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 |
CVE-2020-14625 | Core | Important | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2020-14644 | Core | Important | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2020-14645 | Core | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2020-14687 | Core | Important | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2017-5645 Centralized Thirdparty Jars(Log4j) | Centralized Thirdparty Jars (Log4j) | Important | 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2017-5645 Console(Log4j) | Console (Log4j) | Important | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
CVE-2020-14588 | Web Container | Critical | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
IV. Affected Products and Components
Products:
Oracle WebLogic Server 10.3.6.0.0
Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 12.2.1.3.0
Oracle WebLogic Server 12.2.1.4.0
Oracle WebLogic Server 14.1.1.0.0
Components:
Centralized Thirdparty Jars (jackson-databind)
Security Service (RSA BSAFE)
Core
Centralized Thirdparty Jars (Log4j)
Console (Log4j)
Web Container
V. Vulnerability Handling
These vulnerabilities have been fixed in the officially released patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.