0 Replies Latest reply on Jun 20, 2019 1:43 PM by 915737

    CVE-2019-2729 - mitigation approach

    915737

      Hi Experts,

       

      As per recent Vulnerability included in CVE-2019-2729, if we look into mitigation approach below war files need to deleted as per "KnownSec 404" (https://www.helpnetsecurity.com/2019/06/19/cve-2019-2729/ )

       

      ========Below lines copied from above link===============

      Before Oracle released the patch, KnownSec 404 advised users to mitigate the risk by:

      • Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or by
      • Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

       

      ========Below lines copied from above link===============

       

      But when we search for wls9_async_response.war, we are getting "bea_wls9_async_response.war".

      so is it wls9_async_response.war and bea_wls9_async_response.war are same or only we need to delete "wls9_async_response.war" if exist.

       

      Please advise.

       

      Env details:

      EBS- 12.2.4 With WLS 10.3.6.0 (JAN-2019 PSU) applied.

       

      Thanks,

      915737.