How do I update Oracle WebLogic on RSA Appliance?
We are currently using RSA Authentication Manager 8.4 Patch 6. Our Computer Security Team recently scanned the Appliance and found a vulnerability relating to Oracle WebLogic Server that comes installed with the virtual appliance provided by RSA. Can we upgrade/install the Oracle WebLogic Server Application on the Appliance without updating the RSA Patch version or does the RSA Patch include or come integrated with the Oracle WebLogic Server Application.
I've never installed software outside of the RSA Virtual Appliance Patches and was wondering if there is a matrix somewhere that can tell us what RSA Update contains which version of Oracle WebLogic. We don't currently have a completed Development Environment setup to test this so I'm a little nervous about implementing.
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- upgrade rsa authentication manager
The Primary and Replicas are 'appliances' which means it is not supported to apply your own fixes to the underlying components of Suse Linux, Oracle Web Logic, postgres DB, etc...
As soon as Oracle announces their quarterly Critical Patch Update, CPU, RSA Engineering begins the process of incorporating those fixes into a patch or Service pack for AM, and if needed for the Web Tiers.
AM 8.4 Patch 14 and AM 8.5 patch1 include Oracle CPU from July 2020.
Oracle recently announced its quarterly October 2020 CPU, - Oracle Critical Patch Update Advisory - October 2020
then announced an additional hot fix on Nov. 1, 2020. - Oracle Security Alert - CVE-2020-14750
These Oracle updates/hot fixes will soon be included in RSA hot fixes for AM and Web Tier.
I can say right now there is an official Engineering Response/impact statement for; CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix - They do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities. AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.
If you have specific questions about specific CVEs in your scan, I would probably open a support case to discuss privately as opposed to posting them here on RSA Link.
Any other specific vulnerabilities or CVEs from the Oracle October 2020 CPU will be addressed in an RSA Hot fix. This RSA hot fix will also include the fixes for CVE-2020-14882 and CVE-2020-14883, and CVE-2020-14750 even though they cannot be exploited.
Response: Ther flaw exists but cannot be exploited