[Virtual patch] Unauthorized access vulnerabilities in Oracle WebLogic servers (CVE-2020-14882 and CVE- 2020-14883) - Security Notification| Alibaba Cloud Documentation Center

On October 20, 2020, Oracle released its Critical Patch Update that contains fixes for multiple critical vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9.8. The vulnerabilities include unauthorized access vulnerabilities in Oracle WebLogic servers (CVE-2020-14882 and CVE- 2020-14883).

Unauthenticated attackers can exploit these vulnerabilities to take over WebLogic servers and implement remote code execution.

Scope of impact:

WebLogic 12.2.1.3.0
WebLogic 12.2.1.4.0
WebLogic 14.1.1.0.0
WebLogic 10.3.6.0.0
WebLogic 12.2.1.3.0

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Security suggestions:

Use the virtual patch function of Cloud Firewall.
You can use this function to fix the vulnerabilities. We recommend that you enable the virtual patch with the ID of 10005295. Alternatively, you can search for CVE-2020-14882 or CVE- 2020-14883 to find the virtual patch. For more information, see Intrusion prevention.
Other security suggestions:
- Disable T3.
- Disable Internet Inter-ORB Protocol (IIOP).
- Forbid access to /console/console.portal in the backend.
- Install official security patches.