000039437 - Security vulnerabilities CVE-2020-14882, CVE-2020-14883 and CVE-2020-14750, others in WebLogic an internal component in WebTier

Document created by RSA Customer Support Employee on Nov 6, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039437
Applies ToRSA Authentication Manager 8.4 and 8.5
RSA Authentication Manager 8.4 and 8.5 WebTier
CVE IDCVE-2020-14882, CVE-2020-14883
Article SummaryOracle announced its quarterly October 2020 CPU, then announced an additional hot fix on Nov. 1, 2020.
This is the Engineering Response/impact statements for; 
  1. Oracle WebLogic Critical Patch Update, CPU Advisory - October 2020, including security vulnerabilities CVE-2020-14882 and CVE-2020-14883, along with several others listed here
  2. Nov 1, 2020, Oracle WebLogic Advisory RE: out-of-band fix for another security vulnerability, CVE-2020-14750, listed here

CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities.  AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.

RSA will provide both Authentication Manager and Web Tier hot fixes that will include both the Oracle October CPU and Oracle Nov. 1 hotf ix. These hot fixes will be ver. and, which will address the other vulnerabilities/CVEs listed in the October CPU. These hot fixes will eventually be included in patch 2 for AM 8.5.
Link to Advisories

Oracle Critical Patch Update Advisory - October 2020

CVE-2020-14882Oracle WebLogic ServerConsoleHTTPYes9.8NetworkLowNoneNoneUn-

CVE-2020-14883Oracle WebLogic ServerConsoleHTTPNo7.2NetworkLowHighNoneUn-

Late on Sunday, Nov 1, 2020, Oracle also announced an out-of-band fix for another security vulnerability, CVE-2020-14750 
Alert ImpactNot Exploitable
Alert Impact ExplanationThree vulnerabilities;  "CVE-2020-14882" and "CVE-2020-14883" from Oracle CPU for October 2020 and CVE-2020-14750 from the Oracle Stand-alone hot fix from Nov. 1, 2020 are not exploitable and of no security concern for RSA Authentication Manager. All Three of these vulnerabilities are found in the WebLogic admin console, see above Link to Advisories. RSA Authentication Manager does not implement or deploy the Weblogic console in either the Authentication Manager or Web Tier.

The WebLogic admin console is not deployed. None of the WL-Admin-Console URLs will respond to either of the published attacks.  Therefore the impact statement, “the flaw exists but cannot be exploited" is assigned to all three of this Authentication Manager and Web Tier.

Additionally, the Authentication Manager appliance implements an  "iptables" network firewall that blocks access to the WL-Admin-Console port.  
Web Tiers are not appliances but are software that runs on either Linux or Windows. The Authentication Manager Planning Guide makes reference to protecting your Web Ter to allow only access to Web Tier ports, thereby blocking access to the Web Logic Console port through an implicit deny all.

ResolutionAn updated WebLogic will be released in RSA AM 8.5 Patch 1 Hot fix 1.
NotesRSA Authentication Manager 8.5 patch 1 hot fix 1 will have an updated WebLogic with all fixes for vulnerabilities listed in Oracle Critical Patch Update Advisory October 2020.



Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.