On October 20, 2020, Oracle released its Critical Patch Update that contains fixes for multiple critical vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9.8. The vulnerabilities include unauthorized access vulnerabilities in Oracle WebLogic servers (CVE-2020-14882 and CVE- 2020-14883).
Unauthenticated attackers can exploit these vulnerabilities to take over WebLogic servers and implement remote code execution.
- WebLogic 12.2.1.3.0
- WebLogic 12.2.1.4.0
- WebLogic 14.1.1.0.0
- WebLogic 10.3.6.0.0
- WebLogic 12.2.1.3.0
Risk level: high
Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.
- Use the virtual patch function of Cloud Firewall.
You can use this function to fix the vulnerabilities. We recommend that you enable the virtual patch with the ID of 10005295. Alternatively, you can search for CVE-2020-14882 or CVE- 2020-14883 to find the virtual patch. For more information, see Intrusion prevention.
- Other security suggestions:
- Disable T3.
- Disable Internet Inter-ORB Protocol (IIOP).
- Forbid access to /console/console.portal in the backend.
- Install official security patches.