2 Replies Latest reply on Jul 9, 2019 3:11 PM by Alan Tunn

    OEM13c and CVE-2019-2725 / CVE-2019-2729

    Alan Tunn

      As I understand it, OEM 13c (I'm on 13.3) uses WebLogic Server (12.1.3.0) which is vulnerable to the above CVEs.
      WebLogic release quarterly PSUs and have released overlay patches on top of these for the above vulnerabilities.
      However, we do not normally patch the WebLogic component of OEM stand-alone and, instead, should apply OEM System Patches.
      Have OEM Support released any notes, patches, advisories, or other recommendations on how to proceed that I've missed?
      Should we patch WLS as if it was stand-alone or are we to expect an advisory and patch from OEM Support?

        • 1. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
          Stephen Windsor

          Alan,

           

          it depends on how exposed your OEM is to the outside world. My OEM 13cR2 is setup in the internal database subnet, not accessible from the outside world. The restricted subnet i work from is close to the database subnet. There is no outside access; there is no staff access.  In my case, i do not see it necessary to apply this one-off patch to my WebLogic. I can wait until this patch is folded into the next WebLogic PSU.

           

          *alternatively* your Unix admin can block certain file patterns (file patterns were used as a 'backdoor' for maintenance on WebLogic servers; whoops!) at the webserver level - look at the details of the CVE.

           

          There *are* PSUs released for WebLogic. The January 2019 PSU  - OMS 13cR2 Weblogic Patch Set Update (PSU) for Bug: 28710923    I applied.

           

          $MIDDLEWARE_HOME/OPatch/opatch lspatches

           

          28710923;WLS PATCH SET UPDATE 12.1.3.0.190115          *** this one

          24329181;One-off

          28717501;EMBP Patch Set Update 13.2.0.0.181016

          28373690;EM DB Plugin Bundle Patch 13.2.2.0.180831

          28227336;EM FMW Plugin Bundle Patch 13.2.2.0.180731

          28227329;EM CFW Plugin Bundle Patch 13.2.2.0.180731

          28069967;EM Exadata Plugin Bundle Patch 13.2.2.0.180630

          27463295;EM SI Plugin Bundle Patch 13.2.2.0.180228

          24450351;One-off

          23519804;One-off

          22065592;One-off

          20882747;One-off

          20442348;One-off

          20022048;One-off

          19982906;One-off

          19345252;One-off

          18814458;One-off

          23527146;One-off

          20741228;JDBC 12.1.3.1 BP1

           

          OPatch succeeded.

           

          -Steve

          • 2. Re: OEM13c and CVE-2019-2725 / CVE-2019-2729
            Alan Tunn

            Just to close the loop on this in case anyone else asks the same question.....
            I opened an SR with OEM Support and they confirmed that we could patch our OEM system for WebLogic in the same manner as if the WLS was stand alone.
            So... the approach taken on our OMSs was:-

             

            Requirement was to apply WLS APR19 PSU (29204657) then the combined CVE overlay patch (29792736).

             

              Applied the APR19 PSU (29204657)… Failed. Conflict with older overlay (25832897).
              Research finds note saying this can happen and to just roll back the overlay, apply the PSU, then download and apply the higher version of the overlay.
              Rolled back conflicting overlay (25832897).

             

              Applied APR19 PSU (29204657) …. Failed. OPatch issue.

              Research finds note that the version of OPatch delivered with OEM has ‘issues’ with upgrading WLS PSUs. Workaround is to roll back the failed PSU application, roll back all other WLS PSUs, then re-apply latest WLS PSU.

              Rolled back failed APR19 PSU (29204657) .
              Rolled back earlier APR18 PSU (27419391).

             

              Applied APR19 PSU(29204657).

             

              Re-applied higher version of conflicting overlay patch (25832897) .

             

              Applied combined overlay patch for WLS CVEs (29792736).

             

            Simples…hope this helps.