Login Sign Up

CVE-2020-14687

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Oracle WebLogic Server allows unauthenticated attackers with network access via IIOP or T3 protocols to remotely execute arbitrary code, leading to complete server compromise. It affects WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, putting systems at high risk of takeover.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Operating Systems: All supported OS for WebLogic Server
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in the Core component and exploitable via IIOP or T3 protocols, which are often enabled by default.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with full administrative control, allowing data theft, service disruption, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to deployment of malware, ransomware, or backdoors for persistent access.

🟢

If Mitigated

Limited impact if network segmentation blocks IIOP/T3 traffic or patches are applied, but risk remains if exposed.

🌐 Internet-Facing: HIGH, as it is remotely exploitable without authentication over network protocols.
🏢 Internal Only: HIGH, because internal attackers or compromised systems can exploit it easily via network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploits are publicly available and easy to use, making this a high-priority threat for unpatched systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update July 2020 or later; specific patch numbers vary by version.

Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2020.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Oracle Support. 2. Apply the patch following Oracle's installation guide. 3. Restart the WebLogic Server to activate the fix.

🔧 Temporary Workarounds

Block IIOP and T3 Protocols

all

Restrict network access to IIOP and T3 ports to prevent exploitation.

Use firewall rules to block inbound traffic on ports 7001 (T3) and 9001 (IIOP) or as configured.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WebLogic servers and block external access to IIOP/T3 ports.
  • Monitor for unusual network traffic or process activity on affected servers and apply patches as soon as possible.

🔍 How to Verify

Check if Vulnerable:

Check the WebLogic Server version; if it is 12.2.1.3.0, 12.2.1.4.0, or 14.1.1.0.0, it is vulnerable.

Check Version:

On Linux/Windows, run: java weblogic.version or check server logs for version info.

Verify Fix Applied:

Verify the patch is applied by checking the version or patch level in Oracle documentation, and ensure no exploit attempts are detected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual IIOP or T3 connection attempts, error logs related to deserialization, or unexpected process executions.

Network Indicators:

  • Suspicious traffic on IIOP (port 9001) or T3 (port 7001) protocols from untrusted sources.

SIEM Query:

Example: search for 'WebLogic' AND ('IIOP' OR 'T3') AND ('error' OR 'exploit') in logs.

📊 Metadata

CVE ID: CVE-2020-14687
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON