Patch Your OEM and WebLogic Servers Before Hackers Turn Them Into Cryptocurrency Mining Machines

What is it?

In April 2019, a security advisory was release for CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server that could be easily exploited, allowing unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Servers.

Showcase has emerged on the internet that the vulnerability was already being actively exploited to install cryptocurrency miners.

 

Am I affected?

The confirmed WLS versions being affected by this vulnerability are 10.3.6.0.0 and 12.1.3.0.0.

If you are using any of these WLS releases, you need to patch your system as soon as possible.

Moreover, WebLogic Server is now part of integration of Oracle Enterprise Manager. If you are using any of the versions below, you need to patch your system as soon as possible.

 

12.1.0.3, 12.1.0.4, 12.1.0.5 versions of EM use WebLogic Server 10.3.6.0.

13.x version of EM uses WebLogic Server 12.1.3.0.0

 

What should I do?

If you are using any versions of the system mentioned above, you need to start patching plan immediately. While at it, maybe it’s a good time to patch your OEM systems and agents at the same time.

Downtime to the system and/or OEM is required during patching.

 

What patches should I apply?

If you are using standalone WLS 10.3.6, you need to apply one of the following patches:

  • Jan PSU 10.3.6.0.190115 Patch 28710912 + Overlay Patch 29694149 on 10.3.6.0.190115, or
  • Apr PSU 10.3.6.0.190416 Patch 29204678 + Overlay Patch 29694149 on 10.3.6.0.190416

If you are using standalone WLS 12.1.3.0, you need to apply one of the following patches:

  • Jan 2019 PSU 12.1.3.0.190115 Patch 28710923 + Overlay Patch 29694149 on 12.1.3.0.190115, or
  • Apr 2019 PSU 12.1.3.0.190416 Patch 29204657 + Overlay Patch 29694149 on 12.1.3.0.190416

Please note that the patches available for 10.3.6.0 and 12.1.3.0 versions are overlay patches, meaning they are created for respective PSU releases (January 2019, and April 2019). Please ensure that the required PSU/CPU is applied before applying the one-off patches.

If you are using Oracle Enterprise Manager with integrated WebLogic Server, you need to apply the following patches according to your OEM versions:

  • April or Jan 2019 PSU for Oracle Enterprise Manager
  • April or Jan 2019 PSU for Oracle Enterprise Manager Agents
  • April or Jan 2019 PSU for Oracle WebLogic Server
  • Vulnerability CVE-2019-2725 patch for Oracle WebLogic Server

If you are using integrated WebLogic Server with other products, please consult Oracle for further actions.

 

How to proceed?

Below is a high-level patch plan for patching operations. Normally you could just follow the README file comes with the patches themselves. However, there are some notes that might help you with a speedier and smoother patching:

  • Upgrade opatch and OMSPatcher to the latest version that acceptable by OEM and WLS patching
    OEM and WLS patching require the certain version of opatch and OMSPatcher. For example, OEM 13.2 and WLS 12.1.3 requires OPatch to be at least 13.9.0.0.0, and OMSPatcher 13.8.0.0.3.
  • Patching latest PSU to OEM
    OPatchauto will require WLS URL and port number, admin username and password when performing patching operations. We could generate a property file, which contains the encrypted username/password and necessary info that will pass to OPatchauto for non-interactive patching.
    Also don’t forget to run analysis before patching.
  • Resolving conflicted patches for WLS PSU
    If you are patching WLS that is part of OEM deployment, it’s highly likely that you will hit a few patch conflicts. Make sure to solve these conflicts before patching.
  • Patching latest PSU to WLS
  • Patching CVE-2019-2725 to WLS
  • Patching latest PSU to OEM agents

Review the patching log carefully, especially if you patch several agents at a time. Sometime the patching might fail if run from OEM. In this case, you will have to do a manual patch.

Share:

No Comments

No comments yet.

RSS feed for comments on this post.

Leave a comment