Oracle Addresses Patch Bypass for CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

CVE-2020-14882 is a remote code execution (RCE) flaw in the Console component of Oracle WebLogic Server. The pre-authentication flaw was given an attack complexity of “low” and highlighted as “easily exploitable” by Oracle resulting in it being assigned a critical CVSSv3 score of 9.8.

On October 30, Henry Chen, a security researcher at Alibaba Cloud, published a tweet claiming the patch for CVE-2020-1488 can be bypassed, a patch recently released as part of the Oracle's October 2020 Critical Patch Update (CPU).

On November 1, Oracle released a security alert advisory for CVE-2020-14750, an RCE flaw in the Console component of vulnerability in Oracle WebLogic Server, and related to the bypass of the patch for CVE-2020-14482. The advisory also notes the release of a patch that addresses both CVE-2020-14750 and CVE-2020-14882.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.