Security vulnerabilities CVE-2020-14882, CVE-2020-14883 and CVE-2020-14750, others in WebLogic an internal component in WebTier
Originally Published: 2020-11-03
Article Number
Applies To
RSA Authentication Manager 8.4 and 8.5 WebTier
CVE Identifier(s)
Article Summary
This is the Engineering Response/impact statements for;
- Oracle WebLogic Critical Patch Update, CPU Advisory - October 2020, including security vulnerabilities CVE-2020-14882 and CVE-2020-14883, along with several others listed here
https://www.oracle.com/security-alerts/cpuoct2020.html - Nov 1, 2020, Oracle WebLogic Advisory RE: out-of-band fix for another security vulnerability, CVE-2020-14750, listed here
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities. AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.
RSA will provide both Authentication Manager and Web Tier hot fixes that will include both the Oracle October CPU and Oracle Nov. 1 hotf ix. These hot fixes will be ver. 8.5.0.1.1 and 8.4.0.14.1, which will address the other vulnerabilities/CVEs listed in the October CPU. These hot fixes will eventually be included in patch 2 for AM 8.5.
Link to Advisories
Oracle Critical Patch Update Advisory - October 2020
https://www.oracle.com/security-alerts/cpuoct2020.html
| CVE-2020-14882 | Oracle WebLogic Server | Console | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed | High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
|---|
| CVE-2020-14883 | Oracle WebLogic Server | Console | HTTP | No | 7.2 | Network | Low | High | None | Un- changed | High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
|---|
Late on Sunday, Nov 1, 2020, Oracle also announced an out-of-band fix for another security vulnerability, CVE-2020-14750
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html.
Alert Impact
Not Exploitable
Alert Impact Explanation
The WebLogic admin console is not deployed. None of the WL-Admin-Console URLs will respond to either of the published attacks. Therefore the impact statement, “the flaw exists but cannot be exploited" is assigned to all three of this Authentication Manager and Web Tier.
Additionally, the Authentication Manager appliance implements an "iptables" network firewall that blocks access to the WL-Admin-Console port.
Web Tiers are not appliances but are software that runs on either Linux or Windows. The Authentication Manager Planning Guide makes reference to protecting your Web Ter to allow only access to Web Tier ports, thereby blocking access to the Web Logic Console port through an implicit deny all.
Resolution
Notes
Disclaimer
Related Articles
Webtier Installation Fails on Linux Server Number of Views How to check/restart the Webtier services deployed on a Linux machine Number of Views How to check/restart the Webtier services deployed on a Linux machine in RSA Authentication Manager 8.x Number of Views RSA Authentication Manager response to log4j vulnerabilities; CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2022-2330… Number of Views Advisory regarding vulnerabilities reported by Oracle Java CVEs for applications running untrusted code Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
