Publication Date: 3 November 2020
Update Date: 5 November 2020
Philips is currently monitoring developments and updates related to the Oracle WebLogic Server Advisory (CVE-2020-14750). The advisory highlighted a critical remote code execution (RCE) vulnerability impacting multiple Oracle WebLogic Server versions and is related to CVE-2020-14882.
As reported by Oracle, unauthenticated attackers can remotely exploit this no-auth RCE flaw in the server’s console component via HTTP, without user interaction, as part of low complexity attacks to potentially take over targeted servers. Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0.
As part of product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Oracle WebLogic Server for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for updates related to these vulnerabilities and evaluating further possible actions as needed.
Oracle released a critical patch update in October 2020 for CVE-2020-14882. Oracle is addressing the most recent vulnerability CVE-2020-14750 by release of an emergency patch on November 1. Philips is currently in the process of evaluating the Oracle patch and vendor recommended mitigation options. According to Oracle, the vulnerability is remotely exploitable without authentication over a network without the need for a username and password.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. As the advisory posted is updated by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update A: 5 November 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2020-1350. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.