Hi
is AM 8.4.4 and lower, which are running Weblogic server 12.2.1.3.0, susceptible to this vulnerability?
Oracle Security Alert CVE-2019-2729
and if yes, when will there be a patch released?
Kind Regards,
Wolfgang
Hi
is AM 8.4.4 and lower, which are running Weblogic server 12.2.1.3.0, susceptible to this vulnerability?
Oracle Security Alert CVE-2019-2729
and if yes, when will there be a patch released?
Kind Regards,
Wolfgang
It's fixed in upcoming 8.4.0.5.0 (8.4 patch 5).
Current estimated schedule for 8.4.0.5.0 is last week of July but this is not guaranteed.
If you desire, there is a potential untested workaround, and before trying this in production,
perform on a test machine, or a replica you don't worry if you make a mistake.
Temporary Solution
NOTICE: If anyone does use these solutions for CVE-2019-2729 it should be noted that it is at your own risk - the "solution" may cause problems and there is no guarantee that it prevents the vulnerability. Please be aware that Oracle does not endorse any of these "solutions" (and so neither does RSA). There is no accepted proof that these will fully mitigate CVE-2019-2729. The supported fix will be in the release of 8.4.0.5.0
thank you for the quick reply, much appreciated
FYI by 'restart weblogic service', just restart all services
cd /opt/rsa/am/server
./rsaserv restart all
Tried Scenario 1. It does not work. The vulnerability still shows up.
Just to clarify, you only need to delete the *wls9_async_response.war, *wls9_async* files right? And not the com.oracle.webservices.wls.wsat-endpoints-impl_12.1.3.war file?
Thanks,
Gordon
It's a wildcard search for anything *wls* and *wsat* which would include
com.oracle.webservices.wls.wsat-endpoints-impl_12.1.3.war
See
https://community.rsa.com/message/937248?commentID=937248&et=watches.email.thread#comment937248
Thanks, Jay.
I've deleted everything *wls* and *wsat* in the provided context and restarted the services but the vulnerability still shows up.
Thanks,
Gordon
It's fixed in upcoming 8.4.0.5.0 (8.4 patch 5).
Current estimated schedule for 8.4.0.5.0 is last week of July but this is not guaranteed.
If you desire, there is a potential untested workaround, and before trying this in production,
perform on a test machine, or a replica you don't worry if you make a mistake.
Temporary Solution
and restarted all AM service. There were no apparent issues (but extensive testing has not been performed).
NOTICE: If anyone does use these solutions for CVE-2019-2729 it should be noted that it is at your own risk - the "solution" may cause problems and there is no guarantee that it prevents the vulnerability. Please be aware that Oracle does not endorse any of these "solutions" (and so neither does RSA). There is no accepted proof that these will fully mitigate CVE-2019-2729. The supported fix will be in the release of 8.4.0.5.0