I. Overview

Oracle has recently released the quarterly security bulletins and disclosed security vulnerabilities in multiple products, including multiple high-risk WebLogic vulnerabilities (CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, CVE-2020-14687, CVE-2017-5645 and CVE-2020-14588). The CVE-2020-14625, CVE-2020-14644, CVE-2020-14645 and CVE-2020-14687 vulnerabilities are related to T3 and IIOP protocols. Attackers can exploit this vulnerability to remotely obtain privileges on WebLogic servers, bringing high security risks.

If you are using WebLogic and other Oracle products, check your services and implement timely security hardening.

Reference link:

https://www.oracle.com/security-alerts/cpujul2020.html

Oracle's security bulletins for this quarter released 443 security vulnerability patches, involving Oracle Weblogic, Oracle Coherence, Oracle BI Publisher, Oracle Endeca Information Discovery Studio, and Oracle Business Intelligence Enterprise Edition. For details about the vulnerabilities and patches, visit the reference link.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Vulnerability Description

IV. Affected Products and Components

Products:

Oracle WebLogic Server 10.3.6.0.0

Oracle WebLogic Server 12.1.3.0.0

Oracle WebLogic Server 12.2.1.3.0

Oracle WebLogic Server 12.2.1.4.0

Oracle WebLogic Server 14.1.1.0.0

Components:

Centralized Thirdparty Jars (jackson-databind)

Security Service (RSA BSAFE)

Core

Centralized Thirdparty Jars (Log4j)

Console (Log4j)

Web Container

V. Vulnerability Handling

These vulnerabilities have been fixed in the officially released patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.