Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 62 Insurance
- 536K On-Premises Infrastructure
- 138.2K Analytics Software
- 38.6K Application Development Software
- 5.7K Cloud Platform
- 109.4K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.2K Integration
- 41.5K Security Software
Impact of below CVEs on WebLogic that is shutdown
Hi
First time dealing with WebLogic 10.3.6 (part of Oracle EPM/Hyperion deployment but with limited license) so please excuse if I ask silly questions.
Our IT pointed two vulnerabilities (Listed as part of Russian State-Sponsored Cyber Threats) when scanning using a third-party tool Rapid7 on Linux server and suggested us to patch the WebLogic to latest patch to remediate these 2 vulnerabilities.
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2020-14882 Oracle WebLogic
I wouldn't mind patching but the problem is if we patch WebLogic 10.3.6 to latest version, we need to install Java 7, which then requires reconfiguring our whole Hyperion software as it is using Java 6.
We never patched WebLogic in the past as our Hyperion env is not internet facing and WebLogic is always in shutdown mode (Launching WebLogic URL won't bring up console unless we start it on server). All of the Hyperion software is patched very recently.
My question is do we really need to patch if the issue is just the above listed vulnerabilities as our WebLogic is always shutdown and not even internet facing.