SecurID^® Discussions

EduardoCuthbert · ‎2019-05-10

Hello community

Is the webtier which contains a weblogic vulnerable to CVE-2019-2725-Active-Exploit ? As far as I could see, the vulnerable versions are:

Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0

See document by vendor: Oracle Security Alert CVE-2019-2725

If we are running that versions, are we affected or is RSA providing other mechanism to protect this attack?

Do we need to patch?

Best regards,

Edu

JayGuillette · ‎2019-05-21

Specifically for CVE-2019-2725, The answer might also be maybe...if you are at AM 8.3 or less, because the vulnerability is not exploitable even though it exists.

And the Answer is no if you are at AM 8.4. because at that version the vulnerability does not exist.

Explanation of why CVE-2019-2725 and CVE-2019-2658 exist but are not exploitable at Authentication Manager 8.3 and earlier
An RSA Authentication Manager 8.3 server or Web Tier runs WebLogic 12.1.3.0.0, which is potentially vulnerable to CVE-2019-2725. This issue does not exist in Authentication Manager 8.4, Therefore, the fix is to upgrade. If you cannot immediately upgrade, your first option would be to request an exemption based on the following Engineering Response.

This vulnerability is documented as requiring two components, one referred to as “WLS9-ASYNC” and another called “WLS-WSAT”. Although the WLS9-ASYNC component was deployed, the WLS-WSAT was not deployed. The WLS9_ASYNC service is not utilized in the system and can be safely removed from the RSA Authentication Manager configuration. A server scan will report the CVE-2019-2725 vulnerability if the server responds on the _async URL with a HTTP 202 (Accepted) status. With the v. 12.1.3.0.0 WAR files deployed, the Authentication Manager server or Web Tier accepts the connection and payload but no actual execution is detected. "RSA has been unable to verify that RSA Authentication Manager 8.3 and earlier are vulnerable to CVE-2019-2725."

If you accept this as the RSA Engineering response, you might ask for an exemption from the Security Policy. If not, your second option is to remove the files associated with this vulnerability. A server that has had the WAR files removed will respond to an _async request with a 404 (Not Found) instead of a with an HTTP 202 (Accepted). But I can't tell you the "how to" here, you'll have to open a support case. Tell the TSE to CSsearch for a KB with CVE-2019-2725 in it.

There are also options (because there are other CVEs) that include updating to AM 8.4 P4 to get the absolute latest patches for Oracle Web Logic (April 2019 CPU) and another option to apply the Oracle CPU to AM 8.3 P6, then apply an Oracle hot fix instead of the RSA work-around of deleting the affected files.

View solution in original post

GordonMathias · ‎2019-05-21

I had the same question a while ago.

To answer your question; yes. If you are running a version of Authentication Manager with Web Tiers that has either 10.3.6.0 or 12.1.3.0 of Oracle WebLogic Server, you are affected.

According to the response I received from RSA, they are releasing a patch for this in the future.

In the meantime, you can just update AM to a version that does not have the affected versions of WebLogic. For e.g., AM 8.4 has Weblogic 12.2.1.3.0.

JayGuillette · ‎2019-05-21

Specifically for CVE-2019-2725, The answer might also be maybe...if you are at AM 8.3 or less, because the vulnerability is not exploitable even though it exists.

And the Answer is no if you are at AM 8.4. because at that version the vulnerability does not exist.

Explanation of why CVE-2019-2725 and CVE-2019-2658 exist but are not exploitable at Authentication Manager 8.3 and earlier
An RSA Authentication Manager 8.3 server or Web Tier runs WebLogic 12.1.3.0.0, which is potentially vulnerable to CVE-2019-2725. This issue does not exist in Authentication Manager 8.4, Therefore, the fix is to upgrade. If you cannot immediately upgrade, your first option would be to request an exemption based on the following Engineering Response.

This vulnerability is documented as requiring two components, one referred to as “WLS9-ASYNC” and another called “WLS-WSAT”. Although the WLS9-ASYNC component was deployed, the WLS-WSAT was not deployed. The WLS9_ASYNC service is not utilized in the system and can be safely removed from the RSA Authentication Manager configuration. A server scan will report the CVE-2019-2725 vulnerability if the server responds on the _async URL with a HTTP 202 (Accepted) status. With the v. 12.1.3.0.0 WAR files deployed, the Authentication Manager server or Web Tier accepts the connection and payload but no actual execution is detected. "RSA has been unable to verify that RSA Authentication Manager 8.3 and earlier are vulnerable to CVE-2019-2725."

If you accept this as the RSA Engineering response, you might ask for an exemption from the Security Policy. If not, your second option is to remove the files associated with this vulnerability. A server that has had the WAR files removed will respond to an _async request with a 404 (Not Found) instead of a with an HTTP 202 (Accepted). But I can't tell you the "how to" here, you'll have to open a support case. Tell the TSE to CSsearch for a KB with CVE-2019-2725 in it.

There are also options (because there are other CVEs) that include updating to AM 8.4 P4 to get the absolute latest patches for Oracle Web Logic (April 2019 CPU) and another option to apply the Oracle CPU to AM 8.3 P6, then apply an Oracle hot fix instead of the RSA work-around of deleting the affected files.

JohnYogore · ‎2019-06-10

I find that there is a bit of ambiguity in that response. I understand the indisputable fix is to upgrade to AM 8.4 and Web Tier, however can you clarify by answering these questions:

Question 1: Is there risk of CVE-2019-2725 if NO action is taken?
Question 2: If Question 1 in NO, what needs to be done to mitigate the risk of CVE-2019-2725 besides upgrading to AM 8.4?

JayGuillette · ‎2019-06-20

Q1 - No, as the vulnerability is not exploitable because the 2nd component, WLS-WSAT was not deployed. RSA response is no risk, not exploitable.
Q2 - Because the 1st component, WLS9-ASYNC is deployed, scanners are likely to flag CVE-2019-2725. RSA response still stands, but since some customers will want further assurance, there are two options to further mitigate CVE-2019-2725, one from Oracle which involves applying both the April CPU and CVE-2019-2725 hot fix, or the RSA option is to delete two .war files in our Web Logic implementation.

JohnYogore · ‎2019-06-24

Hi Jay,

If we want to remove the two .war files in the Web Logic implementation, can you provide the following please:

The two war file names
The path to the war files
Any service/server restarts that are required to assure this remediation is made

Thank You!

JayGuillette · ‎2019-08-15

There is new information concerning CVE-2019-2725, as well as a new vulnerability CVE-2019-2729 that makes the RSA work-around of deleting the .war files obsolete. If you are running AM 8.4, apply patch 5.

If your are running anything less than AM 8.4, and do not want to update to AM 8.4 right away, RSA Support will provide you with two Oracle patches, the CPU from April and a specific hotfix that requires the April CPU, that you can apply as an Oracle patch, not as an AM update or patch through the Operations Console. Please call Support to open a case, and refer the TSE to Knowledge Base, KB 37666.

SecurID® Discussions

Recent Weblogic vulnerability CVE-2019-2725

SecurID^® Discussions