Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server's authentication kicks in.
To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server's management console.
Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [1, 2, 3, 4, 5].
As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks against WebLogic honeypots.
But even patched systems were not considered safe.
According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.