Positive Technologies helps Oracle to fix a vulnerability in WebLogic Server

Attackers can take advantage of the security flaw to remotely access a server and read information and files stored on it.

Positive Technologies expert Arseny Sharoglazov discovered a vulnerability in Oracle WebLogic Server. Using an Internet-accessible URL, attackers can connect to the system, bruteforce login credentials, and perform a remote file reading. Tens of thousands of companies around the world use Oracle WebLogic products.

Vulnerability CVE-2020-14622 received a Medium severity rating (CVSS base score 4.9).

To add further fuel to the problem, many system administrators don't know that this URL exists or that attackers can use a standard username and password to access it. The WebLogic administration console is usually located on a separate port and not accessible from the Internet. Changes to system configuration are made by means of special scripts that contain default data for accessing the configuration URL in question.

Attackers can use this security flaw to access Oracle WebLogic Server and read any files stored on it. Depending on the company, this server may contain users' personal data, configuration files of key systems, and application source code, which may itself have vulnerabilities.

Attackers need only a moderate degree of skill to exploit the vulnerability. Vulnerable servers can be detected with the help of automated scanning systems. Exploitation requires writing simple Java code.

Positive Technologies researcher Arseny Sharoglazov said: "We encountered this vulnerability during security analysis projects on PCI DSS-certified banking systems. These are complex systems: a DMZ is set up with servers inside, including WebLogic and SQL. These all are isolated and audited, with an nginx proxy and WAF to boot. But administrators don't know that attackers can access the infrastructure using a configuration URL, undermining all these protection measures."

Positive Technologies experts recommend installing the critical patch update by Oracle and changing the standard password used to access the URL. Setting a unique password reduces the risk of exploitation of CVE-2020-14622.