AnsweredAssumed Answered

Does 8.4 Patch 12 addresses CVE-2020-2883?

Question asked by Gabriela Ramirez on May 5, 2020
Latest reply on Jul 6, 2020 by Jay Guillette

Like • Show 0 Likes0
Comment • 7

Does 8.4 Patch 12 addresses CVE-2020-2883? Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0

On the Read me for both Authentication Manager and Webtier it states:

AM-37489. Updated the version of Oracle WebLogic used by the RSA Authentication Manager.

AM-37489 – Updated the version of Oracle WebLogic used by the web tier server.

To what version was Oracle WebLogic updated to in Patch 12?

Bharath Madhiraju

May 8, 2020 12:45 PM

Correct Answer

RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly. Follow the RSA SecurID Access Product Advisories space for a notification when it is released.

See the reply in context

1 person had this question

Outcomes

7 Replies

Don Rand May 7, 2020 5:57 PM
Mark Correct
Correct Answer
We are still on 8.4 Patch 11 but I opened a ticket with RSA technical support today to find out the same thing. He said that CVE-2020-2883 will be in 8.4 Patch 13 slated for a July 1 release. See response below:

Command to verify the weblogic version on AM Server;

/opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose.

Sample;

login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@app82p:~> /opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose
WebLogic Server 12.1.3.0.0 Wed May 21 18:53:34 PDT 2014 1604337 ImplVersion: 12.1.3.0.0
Oracle WebLogic Server Module Dependencies 12.1 Tue Mar 11 15:35:15 MDT 2014 ImplVersion: 12.1.3.0
Oracle Universal Connection Pool ImplVersion: 12.1.0.2.0
Oracle Security Developer Tools Security Engine ImplVersion: 3.1.0
Oracle Security Developer Tools Crypto ImplVersion: 3.1.0
WebLogic EclipseLink Integration 3.1 Mon Sep 9 22:09:00 UTC 2013 ImplVersion: 3.1.0.0

Also, I have reviewed the vulnerability's status and confirmed that it is mitigated in 8.4 Patch 13 which is tentatively dated to release on July 1st 2020.
Like • Show 0 Likes0
Actions
- Bharath Madhiraju @ Don Rand on May 8, 2020 12:45 PM
  Unmark Correct
  Correct Answer
  RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly. Follow the RSA SecurID Access Product Advisories space for a notification when it is released.
  Like • Show 0 Likes0
  Actions
- Sabitha Baskar @ Don Rand on Jun 3, 2020 9:11 AM
  Mark Correct
  Correct Answer
  We have applied Patch 13 in our QA environment. Is there is steps how to verify the oracle weblogic vulnerability is fixed in our environment.
  Like • Show 0 Likes0
  Actions
  - Jay Guillette @ Sabitha Baskar on Jun 3, 2020 5:59 PM
    Mark Correct
    Correct Answer
    SSH to Linux with rsaadmin credentials
    
    cd /opt/rsa/am/appserver/wls/OPatch ./opatch lsinventory
    Like • Show 0 Likes0
    Actions
    - Jay Guillette @ Jay Guillette on Jun 4, 2020 1:12 PM
      Mark Correct
      Correct Answer
      The April CPU is for Web Logic version 12.2.1.3.0, so updating from AM 8.4 to AM 8.4 P13 does not change the Web Logic version in the first 4-5 digits, it changes the patch ID or build number after the 12.2.1.3.0.
      
      When you run ./opatch lsinventory
      scroll down to the patch description to see something like
      12.2.1.3.0 (ID:200406) for April 6^th 2020
      followed by created Date which should be at or close to April 2020.
      
      These numbers and IDs will be higher that what you had before.
      Like • Show 0 Likes0
      Actions
      - Jay Guillette @ Jay Guillette on Jul 6, 2020 2:18 PM
        Mark Correct
        Correct Answer
        Don't focus on the Oracle Web Logic version alone, e.g. 12.2.1.3.0.
        The Govt. DHS web site says unpatched versions of WL 12.2.1.3.0 are vulnerable, it does not say all versions of WL 12.2.1.3.0 are vulnerable.
        https://www.us-cert.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883
        Patched versions of WL 12.2.1.3.0 are not vulnerable. CVE-2020-2883 is addressed with Recommended Patch 13 for AM 8.4 - https://community.rsa.com/docs/DOC-112584
        But if you still want to verify at the OS or Web Logic level, you need to look through the list of patches not just the version.
        On a Web Tier
        cd /opt/RSASecurity/RSAAuthenticationManagerWebtier ls -l * uname -a ps -ef | fgrep -i rsa cd appserver/wls/OPatch ./opatch lsinventory ../../jdk/bin/java -version
        Like • Show 0 Likes0
        Actions
Jay Guillette May 12, 2020 9:58 AM
Mark Correct
Correct Answer
AM 8.4 P13 is tentatively scheduled for General Release June 1, 2020.
If you can't wait until then, you could contact Customer Support.
Like • Show 0 Likes0
Actions

Does 8.4 Patch 12 addresses CVE-2020-2883?

Outcomes

Related Content

Recommended Content