Oracle is releasing a patch to fix a bug for the second time after releasing the exploit code as a POC. Oracle released a rare out-of-cycle security update on Sunday to address an incomplete patch for a recently revealed vulnerability in Oracle Web Logic servers. The flaw is currently actively exploited in computer attacks.
The new patch (tracked as CVE-2020-14750) adds additional fixes to a first bug (tracked as CVE-2020-14882), initially fixed with Oracle's standard quarterly security updates, the security update of October 2020.
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle Web Logic server before server authentication is enabled. To exploit CVE-2020-14882, an attacker only needs to send a trapped HTTP GET request to the Web Logic server management console.
PoC made public
The PoC of the utilize code was made public in the days following Oracle's initial patch [1, 2, 3, 4, 5]. As has happened several times before, this code was quickly adopted by hacker groups, and last week SANS ISC reported attacks against Web Logic honeypots.
But even patched systems were not inspected secure. According to Adam Boileau, senior security adviser at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed.
Recent attacks and the bypassing of the original patch led Oracle to release a second round of fixes on Sunday, in a rare out of band security update.
Companies operating Web Logic servers are now advised to install the additional patch CVE-2020-14750 to protect both from the original CVE-2020-14882 exploit and its workaround. According to security resistant Spy’s, more than 3,300 Web Logic servers are currently exposed online and considered vulnerable to the original CVE-2020-14882 vulnerability.