CVE-2020-14882

What is Oracle WebLogic's Admin Console?

Oracle WebLogic Server's Administration Console is a web-based management interface for configuring and monitoring WebLogic domains, deploying applications, and managing server clusters. By default, the console runs on port 7001 (HTTP) or 7002 (HTTPS) and is accessible at /console/. The console is intended for administrators only and should never be internet-accessible. Authentication bypass vulnerabilities in the WebLogic console are particularly severe because the console allows deploying arbitrary WAR/EAR files and executing server-side scripts — direct routes to Java code execution on the server. The October 2020 WebLogic console vulnerabilities became one of the most widely exploited enterprise Java vulnerabilities of 2020, exploited within 48 hours of patch release by mass-exploitation campaigns and advanced threat actors alike.

Overview

CVE-2020-14882 is an authentication bypass vulnerability in Oracle WebLogic Server's Administration Console that allows an unauthenticated remote attacker to access the console by manipulating the URL path. A path traversal technique (/console/css/%252E%252E%252Fconsole.portal) bypasses the console's authentication check — the WebLogic security filter evaluates the path before URL decoding and determines the request does not require authentication, while the underlying console servlet decodes the path and serves the protected console page. Oracle patched CVE-2020-14882 in the October 2020 CPU alongside CVE-2020-14883 (console code execution), but the fix was found to be incomplete within two weeks, leading to an emergency patch for CVE-2020-14750. All three CVEs together represent the complete October-November 2020 WebLogic console vulnerability cluster.

Affected Versions

Technical Details

• Root cause: Authentication bypass via URL path manipulation — the WebLogic console authentication filter evaluates whether a requested path requires authentication based on the raw URL; the path /console/css/%252E%252E%252Fconsole.portal (double-encoded ../console.portal) is evaluated by the filter as a request to the public css/ directory (no auth required), but after URL decoding the underlying servlet serves the protected console.portal page
• Double encoding bypass: %252E decodes to %2E in the first decode pass (the security filter), then %2E decodes to . in the second decode pass (the servlet), resulting in the path traversal that bypasses the filter while reaching protected resources; the October CPU fix corrected one bypass pattern but not all encoding permutations, leading to CVE-2020-14750
• CVE-2020-14883 code execution companion: Authentication bypass alone (CVE-2020-14882) provides console UI access but not immediate code execution; CVE-2020-14883 (patched in the same October CPU) allows executing arbitrary Java code through the console's server monitoring endpoints via a POST request — together, CVE-2020-14882 + CVE-2020-14883 form a complete unauthenticated code execution chain
• Mass exploitation within 48 hours: Public PoC exploits were published within 48 hours of the October 2020 CPU; WebLogic's prevalence in financial services, retail, and government Java infrastructure made it a mass-exploitation target; attackers immediately began deploying web shells, cryptominers, and ransomware on internet-exposed WebLogic consoles
• WebLogic internet exposure: Thousands of Oracle WebLogic servers are internet-accessible on ports 7001/7002; Shodan and Censys routinely index them; any unpatched, internet-facing WebLogic instance running the affected versions was exploited during this period

Discovery

CVE-2020-14882 was identified by security researchers and reported to Oracle prior to the October 2020 CPU. Public proof-of-concept exploits emerged within 48 hours of the CPU's release, indicating the vulnerability was straightforward to reverse-engineer from the patch diff. The bypass of the October CPU fix — which became CVE-2020-14750 — was identified by researchers within two weeks, demonstrating the difficulty of completely fixing path traversal authentication bypasses with partial patches.

Exploitation Context

The October-November 2020 Oracle WebLogic console vulnerabilities (CVE-2020-14882 + CVE-2020-14883 + CVE-2020-14750) were among the most widely exploited enterprise software vulnerabilities of 2020. Within days of disclosure, multiple ransomware operators, cryptomining groups, and APT actors weaponized working PoCs. WebLogic's prevalence in financial services, retail, and government Java application infrastructure made it a high-value target. Internet-exposed WebLogic admin consoles — which should never be publicly accessible — were the primary attack surface, and any organization that had not patched and network-isolated WebLogic consoles was compromised during this period. The rapid evolution from CVE-2020-14882 to the bypass CVE-2020-14750 within two weeks exemplifies how incomplete vulnerability fixes extend the exploitation window.

Remediation

1. Apply Oracle October 2020 CPU patches for CVE-2020-14882 and CVE-2020-14883, then apply the November 2020 emergency Security Alert patch for CVE-2020-14750 — the emergency patch supersedes the October CPU fix for the console authentication bypass
2. Immediately block external access to WebLogic admin console ports 7001/7002 — the console must never be internet-accessible; firewall these ports to authorized administrator hosts only; this is the most effective mitigation and should be done immediately regardless of patch status
3. Apply Oracle's com.bea.security.allowedAuthentications connection filter or equivalent to restrict administrative access to specific IP ranges
4. Investigate for compromise: scan WebLogic server directories for unexpected WAR/EAR deployments, review WebLogic application deployment logs, and check for new administrative user accounts
5. Monitor WebLogic access logs for path traversal patterns (%252E, %25252E, %2F..%2F, %252F) indicating exploitation attempts
6. Apply all Oracle CPU patches on a regular schedule to address future WebLogic vulnerabilities; plan for quarterly Oracle CPU application in your patch management cycle