OEM13c and CVE-2019-2725 / CVE-2019-2729

Alan Tunn

    As I understand it, OEM 13c (I'm on 13.3) uses WebLogic Server (12.1.3.0) which is vulnerable to the above CVEs.
    WebLogic release quarterly PSUs and have released overlay patches on top of these for the above vulnerabilities.
    However, we do not normally patch the WebLogic component of OEM stand-alone and, instead, should apply OEM System Patches.
    Have OEM Support released any notes, patches, advisories, or other recommendations on how to proceed that I've missed?
    Should we patch WLS as if it was stand-alone or are we to expect an advisory and patch from OEM Support?

      • 1. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
        Stephen Windsor

        Alan,

         

        it depends on how exposed your OEM is to the outside world. My OEM 13cR2 is setup in the internal database subnet, not accessible from the outside world. The restricted subnet i work from is close to the database subnet. There is no outside access; there is no staff access.  In my case, i do not see it necessary to apply this one-off patch to my WebLogic. I can wait until this patch is folded into the next WebLogic PSU.

         

        *alternatively* your Unix admin can block certain file patterns (file patterns were used as a 'backdoor' for maintenance on WebLogic servers; whoops!) at the webserver level - look at the details of the CVE.

         

        There *are* PSUs released for WebLogic. The January 2019 PSU  - OMS 13cR2 Weblogic Patch Set Update (PSU) for Bug: 28710923    I applied.

         

        $MIDDLEWARE_HOME/OPatch/opatch lspatches

         

        28710923;WLS PATCH SET UPDATE 12.1.3.0.190115          *** this one

        24329181;One-off

        28717501;EMBP Patch Set Update 13.2.0.0.181016

        28373690;EM DB Plugin Bundle Patch 13.2.2.0.180831

        28227336;EM FMW Plugin Bundle Patch 13.2.2.0.180731

        28227329;EM CFW Plugin Bundle Patch 13.2.2.0.180731

        28069967;EM Exadata Plugin Bundle Patch 13.2.2.0.180630

        27463295;EM SI Plugin Bundle Patch 13.2.2.0.180228

        24450351;One-off

        23519804;One-off

        22065592;One-off

        20882747;One-off

        20442348;One-off

        20022048;One-off

        19982906;One-off

        19345252;One-off

        18814458;One-off

        23527146;One-off

        20741228;JDBC 12.1.3.1 BP1

         

        OPatch succeeded.

         

        -Steve

        • 2. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
          Alan Tunn

          Just to close the loop on this in case anyone else asks the same question.....
          I opened an SR with OEM Support and they confirmed that we could patch our OEM system for WebLogic in the same manner as if the WLS was stand alone.
          So... the approach taken on our OMSs was:-

           

          Requirement was to apply WLS APR19 PSU (29204657) then the combined CVE overlay patch (29792736).

           

            Applied the APR19 PSU (29204657)… Failed. Conflict with older overlay (25832897).
            Research finds note saying this can happen and to just roll back the overlay, apply the PSU, then download and apply the higher version of the overlay.
            Rolled back conflicting overlay (25832897).

           

            Applied APR19 PSU (29204657) …. Failed. OPatch issue.

            Research finds note that the version of OPatch delivered with OEM has ‘issues’ with upgrading WLS PSUs. Workaround is to roll back the failed PSU application, roll back all other WLS PSUs, then re-apply latest WLS PSU.

            Rolled back failed APR19 PSU (29204657) .
            Rolled back earlier APR18 PSU (27419391).

           

            Applied APR19 PSU(29204657).

           

            Re-applied higher version of conflicting overlay patch (25832897) .

           

            Applied combined overlay patch for WLS CVEs (29792736).

           

          Simples…hope this helps.