Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
David
Frequent Contributor
Frequent Contributor

Does RSA AM 8.5 addresses Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)

Hi Folks !

While trying to get the RSA AM 8.5 OVA deployed, I'm facing an issue with a vulnerability scan.

 

Below is what was found :

Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)

CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645,
CVE-2020-14687, CVE-2017-5645, CVE-2020-14588, CVE-2020-14639, CVE-2020-5398,
CVE-2020-14589, CVE-2020-2967, CVE-2020-14557, CVE-2020-14652, CVE-2020-14572,
CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14640, CVE-2020-2966,
CVE-2020-14622

 

CPUJUL2020 - WebLogic Vulnerabilities.png

 

After reading many articles here, I was NOT able to conclude that the version is protected against this vulnerability (https://community.rsa.com/docs/DOC-114385 ).

Moreover, the OVA won't be deployed unless a clear answer is provided to the Security Team.

 

Could someone give a hand for this ?

Thanks !

 

David

Labels (1)
0 Likes
2 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

AM 8.4 patch 14 includes the Oracle CPUJUL2020, but AM 8.5 base was 'code freezed' (code-frozen?) before CPUJUL2020 could be included, and AM 8.5 P1, expected Nov. 16th, will include CPUJUL2020.

 

Just recently, Oracle released CPUOCT2020, and then on Nov. 1 released a Hot Fix for CPUOCT2020 to address CVE-2020-14750.

RSA Engineering has provided a response for CVE-2020-14882, CVE-2020-14883 (from October CPU) and CVE-2020-14750 (from Nov. 1 Hot fix), that there is no impact from these and None of the 3 CVEs can be exploited on either Authentication Manager or Web Tier (they affect WebLogic console - which Authentication Manager does not deploy).

 

Both the CPUOCT2020 and the Nov. 1 Hot Fix will be included in an RSA Hot Fix, for AM 8.4 p14 and AM 8.5 P1 (when it is released). Both will eventually be included in AM 8.5 Patch 2, expected Jan. 2021.

https://community.rsa.com/message/961895?commentID=961895#comment-961895 

David
Frequent Contributor
Frequent Contributor

Hi Jay,

 

Sorry for my late feedback

Thanks very much for your detailed answer !     

 

Kind Regards,

David

0 Likes