CVE-2024-20927: 
Oracle WebLogic Server vulnerability analysis and mitigation

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) affects versions 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (Oracle CPU Jan 2024).

The vulnerability has been assigned a CVSS 3.1 Base Score of 8.6 HIGH with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N. The scoring indicates that the vulnerability is network-accessible (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires no user interaction (UI:N), has changed scope (S:C), and can impact integrity (I:H) while having no impact on confidentiality or availability (Oracle CPU Jan 2024).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. The scope change indicator suggests that the vulnerability may affect components beyond the vulnerable component (Oracle CPU Jan 2024).

Oracle has released patches for the affected versions (12.2.1.4.0 and 14.1.1.0.0) as part of the January 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU Jan 2024).

The vulnerability was discovered and reported by the Professional Service Department of Mitsui Bussan Secure Directions (Oracle CPU Jan 2024).