Alert

Customer Alert – 10/30/2020

Background

A WebLogic Server flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale is under active attack according to researchers from the SANS Technology Institute.

 

Discussion

A patch for CVE-2020-14882 was included in Oracle’s Q4 2020 Critical Patch Update released on October 21, 2020. Oracle describes the attack as “low” in complexity, requires no privileges, and no user interaction. It can be exploited by attackers with network access via HTTP.

In a bulletin from Johannes B. Ullrich, Ph.D., Dean of Research at the SANS Technology Institute, he noted that “if you find a vulnerable server in your network: Assume it has been compromised.”

Vulnerable WebLogic Versions include:

10.3.6.0.0 12.1.3.0.0
12.2.1.3.0 12.2.1.4.0
14.1.1.0.0

Action Steps

Waratek Patch customers can immediately access an ARMR virtual patch that remediates CVE-2020-14882. Contact your Waratek representative for details. Waratek ARMR Virtual Patches fix code flaws in minutes without source code changes, application downtime, or risk of breaking an app’s functionality.

Waratek Secure and Upgrade customers are automatically protected by Waratek’s autonomous CWE-114 mitigation which will protect against all RCE exploits of CVE-2020-14882.

Non-Waratek customers should request a trial license or a live demonstration of Waratek protective agents.

 

About Waratek

Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions.

Related alerts

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.