Unauthenticated Oracle WebLogic Server RCE

CVE-2020-2551 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-502 OWASP 2013-A1 OWASP 2017-A1 CAPEC-242 ISO27001-A.14.2.5 HIPAA-94 WSTG-INPV-08

The insecure deserialization vulnerability in certain versions of Oracle Weblogic (Server product of Oracle Fusion Middleware) exploited by a remote attacker with network access via IIOP, by sending crafted requests to the server. Successful exploitation will enable an attacker to execute arbitrary codes and eventually result in takeover of Oracle Weblogic server.

Vulnerable versions

Oracle WebLogic Server 10.3.6 Oracle WebLogic Server 12.1.3 Oracle WebLogic Server 12.2.1.3 Oracle WebLogic Server 12.2.1.4

Mitigation / Precaution

In order to patch this vulnerability, please install the official patch released by Oracle.(https://www.oracle.com/security-alerts/cpujan2020.html)

Latest Articles