This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
David
Frequent Contributor
Frequent Contributor
‎2020-11-05 03:57 AM

Does RSA AM 8.5 addresses Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)

Hi Folks !

While trying to get the RSA AM 8.5 OVA deployed, I'm facing an issue with a vulnerability scan.

 

Below is what was found :

Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)

CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645,
CVE-2020-14687, CVE-2017-5645, CVE-2020-14588, CVE-2020-14639, CVE-2020-5398,
CVE-2020-14589, CVE-2020-2967, CVE-2020-14557, CVE-2020-14652, CVE-2020-14572,
CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14640, CVE-2020-2966,
CVE-2020-14622

 

CPUJUL2020 - WebLogic Vulnerabilities.png

 

After reading many articles here, I was NOT able to conclude that the version is protected against this vulnerability (https://community.rsa.com/docs/DOC-114385 ).

Moreover, the OVA won't be deployed unless a clear answer is provided to the Security Team.

 

Could someone give a hand for this ?

Thanks !

 

David

Labels (1)
Labels
0 Likes
Reply
2 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-11-05 01:06 PM

AM 8.4 patch 14 includes the Oracle CPUJUL2020, but AM 8.5 base was 'code freezed' (code-frozen?) before CPUJUL2020 could be included, and AM 8.5 P1, expected Nov. 16th, will include CPUJUL2020.

 

Just recently, Oracle released CPUOCT2020, and then on Nov. 1 released a Hot Fix for CPUOCT2020 to address CVE-2020-14750.

RSA Engineering has provided a response for CVE-2020-14882, CVE-2020-14883 (from October CPU) and CVE-2020-14750 (from Nov. 1 Hot fix), that there is no impact from these and None of the 3 CVEs can be exploited on either Authentication Manager or Web Tier (they affect WebLogic console - which Authentication Manager does not deploy).

 

Both the CPUOCT2020 and the Nov. 1 Hot Fix will be included in an RSA Hot Fix, for AM 8.4 p14 and AM 8.5 P1 (when it is released). Both will eventually be included in AM 8.5 Patch 2, expected Jan. 2021.

https://community.rsa.com/message/961895?commentID=961895#comment-961895 

Reply
David
Frequent Contributor
Frequent Contributor
In response to JayGuillette
‎2020-11-18 04:16 AM

Hi Jay,

 

Sorry for my late feedback

Thanks very much for your detailed answer !     

 

Kind Regards,

David

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.