2 Replies Latest reply on Jul 9, 2019 3:11 PM by Alan Tunn

    OEM13c and CVE-2019-2725 / CVE-2019-2729

    Alan Tunn

      As I understand it, OEM 13c (I'm on 13.3) uses WebLogic Server ( which is vulnerable to the above CVEs.
      WebLogic release quarterly PSUs and have released overlay patches on top of these for the above vulnerabilities.
      However, we do not normally patch the WebLogic component of OEM stand-alone and, instead, should apply OEM System Patches.
      Have OEM Support released any notes, patches, advisories, or other recommendations on how to proceed that I've missed?
      Should we patch WLS as if it was stand-alone or are we to expect an advisory and patch from OEM Support?

        • 1. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
          Stephen Windsor



          it depends on how exposed your OEM is to the outside world. My OEM 13cR2 is setup in the internal database subnet, not accessible from the outside world. The restricted subnet i work from is close to the database subnet. There is no outside access; there is no staff access.  In my case, i do not see it necessary to apply this one-off patch to my WebLogic. I can wait until this patch is folded into the next WebLogic PSU.


          *alternatively* your Unix admin can block certain file patterns (file patterns were used as a 'backdoor' for maintenance on WebLogic servers; whoops!) at the webserver level - look at the details of the CVE.


          There *are* PSUs released for WebLogic. The January 2019 PSU  - OMS 13cR2 Weblogic Patch Set Update (PSU) for Bug: 28710923    I applied.


          $MIDDLEWARE_HOME/OPatch/opatch lspatches


          28710923;WLS PATCH SET UPDATE          *** this one


          28717501;EMBP Patch Set Update

          28373690;EM DB Plugin Bundle Patch

          28227336;EM FMW Plugin Bundle Patch

          28227329;EM CFW Plugin Bundle Patch

          28069967;EM Exadata Plugin Bundle Patch

          27463295;EM SI Plugin Bundle Patch











          20741228;JDBC BP1


          OPatch succeeded.



          • 2. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
            Alan Tunn

            Just to close the loop on this in case anyone else asks the same question.....
            I opened an SR with OEM Support and they confirmed that we could patch our OEM system for WebLogic in the same manner as if the WLS was stand alone.
            So... the approach taken on our OMSs was:-


            Requirement was to apply WLS APR19 PSU (29204657) then the combined CVE overlay patch (29792736).


              Applied the APR19 PSU (29204657)… Failed. Conflict with older overlay (25832897).
              Research finds note saying this can happen and to just roll back the overlay, apply the PSU, then download and apply the higher version of the overlay.
              Rolled back conflicting overlay (25832897).


              Applied APR19 PSU (29204657) …. Failed. OPatch issue.

              Research finds note that the version of OPatch delivered with OEM has ‘issues’ with upgrading WLS PSUs. Workaround is to roll back the failed PSU application, roll back all other WLS PSUs, then re-apply latest WLS PSU.

              Rolled back failed APR19 PSU (29204657) .
              Rolled back earlier APR18 PSU (27419391).


              Applied APR19 PSU(29204657).


              Re-applied higher version of conflicting overlay patch (25832897) .


              Applied combined overlay patch for WLS CVEs (29792736).


            Simples…hope this helps.