At the end of last week, Oracle and researchers at the SANS Internet Storm Center (ISC) warned of possible imminent attacks on the critical CVE vulnerability – 2020 – 14882 in several versions of Oracle’s WebLogic Server. The company had already published patches in the course of its quarterly “Critical Patchday”.

There is now a separate security warning for a very similar critical vulnerability, which was not discussed on Patchday. According to Oracle’s newly published Security Alert Advisory on CVE – 14 – 14750 it is closely related to CVE – 2020 – 14882. In view of the same severity (CVSS score 9.8, “Critical”) and the fact that exploit code should be available on several websites according to the advisory, Oracle recommends applying the patches immediately.

Unauthenticated remote code execution As with CVE – 2020 – 14882, remote attackers can use CVE – 2020 – 14750 execute code remotely without prior authentication ( Remote Code Execution). Also the affected versions, namely WebLogic Server 10. 3.6.0.0, 12. 1.3.0.0, 12. 2.1. 3.0, 12. 2.1.4.0 and 14 .1.1.0.0 , are identical. The advisory does not provide any further technical details.

As access to the available patches, Oracle links a “Patch Availability Document” in the advisory, which registered users can access via their Oracle account. Notes on the “predecessor” CVE – 2020 – 14882 can be found You here:

(ovw)