Reference:
Advisory #2020-034
Version:
1.0
Affected software:
Oracle Weblogic Server 10.3.6
Oracle Weblogic Server 12.1.3
Oracle Weblogic Server 12.2.1.3
Oracle Weblogic Server 12.2.1.4
Oracle Weblogic Server 14.1.1.0
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2020-14750 - 9.8 CVSS V3(CRITICAL)
Sources
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
http://www.oracle.com/index.html Risks
Successful exploitation of this flaw could allow an unauthenticated attacker to execute arbitrary code resulting in a complete compromise of the vulnerable system
Description
The remote code execution (RCE) vulnerability in Oracle WebLogic server assigned CVE - 2020 - 14750 allows a remote attacker to arbitrary execute code on the target system. According to the vendor, this vulnerability is related to CVE-2020-14882, which was patched in October 2020 and allows a remote attacker to fully compromise an Oracle WebLogic Server without a username and password via a single HTTP get request. This vulnerability exists due to improper input validation allowing a remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Recommended Actions
CERT.be recommends to System administrators to install the latest updates released by the vendor for the affected versions:
https://www.oracle.com/security-alerts/cpuoct2020.html References
https://www.oracle.com/security-alerts/cpuoct2020.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750 
