Oracle WebLogic Server – Remote Code Execution (CVE-2020-14882)

Recently, a critical and easy-to-exploit remote code execution vulnerability was found in Oracle WebLogic Servers. The vulnerability allows an unauthenticated remote attacker with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.

The vulnerability affects the following versions:

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.3.0
  • 12.2.1.4.0
  • 14.1.1.0.0

An exploit targeting this vulnerability was posted online by a Vietnamese researcher. This easy-to-exploit vulnerability can be exploited by sending a POST request.

According to the researcher, Oracle WebLogic does not perform any authentication on the following end points:

  • /bea-helpsets/*
  • /framework/skins/wlsconsole/images/*
  • /framework/skins/wlsconsole/css/*
  • /framework/skeletons/wlsconsole/js/*
  • /framework/skeletons/wlsconsole/css/*
  • /css/*
  • /common/*
  • /images/*

By using double encoding for “../”, the researcher was able to navigate to the path that triggers code execution after bypassing authentication using the /images endpoint.

Malicious request exploiting this vulnerability are shown in the figures below.

Figure 1 Exploit request 


Figure 2 Exploit Request with a different gadget

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

The exploitation attempt will trigger a violation caused by directory traversal evasion technique and will also be detected by many existing signatures for Java and PHP code injection.

  Figure 3 Exploit blocked with Attack Signature (200004161)

Figure 4 Exploit blocked with Attack Signature (200004152)


Figure 5 Exploit blocked with Attack Signature (200004624)


Figure 6 Exploit blocked with Attack Signature (200004625)

Published Oct 30, 2020
Version 1.0
No CommentsBe the first to comment