CVE-2020-14644
Published: 15 July 2020
Summary
CVE-2020-14644 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-14644 is a vulnerability in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The flaw is remotely exploitable over the network and carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability.
An unauthenticated attacker with network access via the IIOP or T3 protocols can exploit the issue to achieve complete takeover of the Oracle WebLogic Server instance. No user interaction or credentials are required, and the attack complexity is rated low.
The Oracle July 2020 Critical Patch Update addresses the vulnerability, and the issue appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-6780
Vulnerability details
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server.…
more
Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 18 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the July 2020 Critical Patch Update that Oracle issued to eliminate the unauthenticated IIOP/T3 deserialization flaw.
Enforces boundary protection that can deny or restrict inbound IIOP and T3 traffic from untrusted networks, blocking the remote unauthenticated attack vector before exploitation.
Requires the system to enforce access-control decisions on all subjects, preventing the unauthenticated attacker from reaching the Core component that allows full server takeover.