SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
New Contributor
New Contributor

How do I update Oracle WebLogic on RSA Appliance?

We are currently using RSA Authentication Manager 8.4 Patch 6.   Our Computer Security Team recently scanned the Appliance and found a vulnerability relating to Oracle WebLogic Server  that comes installed with the virtual appliance provided by RSA.  Can we upgrade/install the Oracle WebLogic Server Application on the Appliance without updating the RSA Patch version or does the RSA Patch include or come integrated with the Oracle WebLogic Server Application.


I've never installed software outside of the  RSA Virtual Appliance Patches and was wondering if there is a matrix somewhere that can tell us what RSA Update contains which version of Oracle WebLogic.  We don't currently have a completed Development Environment setup to test this so I'm a little nervous about implementing.




Kevin C.

Labels (1)
1 Reply
Apprised Contributor Apprised Contributor
Apprised Contributor

The Primary and Replicas are 'appliances' which means it is not supported to apply your own fixes to the underlying components of Suse Linux, Oracle Web Logic, postgres DB, etc...

As soon as Oracle announces their quarterly Critical Patch Update, CPU, RSA Engineering begins the process of incorporating those fixes into a patch or Service pack for AM, and if needed for the Web Tiers.

AM 8.4 Patch 14 and AM 8.5 patch1 include Oracle CPU from July 2020.


Oracle recently announced its quarterly October 2020 CPU, - Oracle Critical Patch Update Advisory - October 2020 

then announced an additional hot fix on Nov. 1, 2020. - Oracle Security Alert - CVE-2020-14750 

These Oracle updates/hot fixes will soon be included in RSA hot fixes for AM and Web Tier.
I can say right now there is an official Engineering Response/impact statement for; CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix - They do not impact and cannot be exploited on either Authentication Manager or Web Tier.  These are Web Logic Console vulnerabilities.  AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.

If you have specific questions about specific CVEs in your scan, I would probably open a support case to discuss privately as opposed to posting them here on RSA Link.


Any other specific vulnerabilities or CVEs from the Oracle October 2020 CPU will be addressed in an RSA Hot fix.  This RSA hot fix will also include the fixes for CVE-2020-14882 and CVE-2020-14883, and CVE-2020-14750 even though they cannot be exploited.

Response: Ther flaw exists but cannot be exploited