AnsweredAssumed Answered

Does 8.4 Patch 12 addresses CVE-2020-2883?

Question asked by Gabriela Ramirez on May 5, 2020
Latest reply on May 12, 2020 by Jay Guillette

Like • Show 0 Likes0
Comment • 3

Does 8.4 Patch 12 addresses CVE-2020-2883? Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0

On the Read me for both Authentication Manager and Webtier it states:

AM-37489. Updated the version of Oracle WebLogic used by the RSA Authentication Manager.

AM-37489 – Updated the version of Oracle WebLogic used by the web tier server.

To what version was Oracle WebLogic updated to in Patch 12?

Bharath Madhiraju

May 8, 2020 12:45 PM

Correct Answer

RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly. Follow the RSA SecurID Access Product Advisories space for a notification when it is released.

See the reply in context

1 person had this question

Outcomes

3 Replies

Don Rand May 7, 2020 5:57 PM
Mark Correct
Correct Answer
We are still on 8.4 Patch 11 but I opened a ticket with RSA technical support today to find out the same thing. He said that CVE-2020-2883 will be in 8.4 Patch 13 slated for a July 1 release. See response below:

Command to verify the weblogic version on AM Server;

/opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose.

Sample;

login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@app82p:~> /opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose
WebLogic Server 12.1.3.0.0 Wed May 21 18:53:34 PDT 2014 1604337 ImplVersion: 12.1.3.0.0
Oracle WebLogic Server Module Dependencies 12.1 Tue Mar 11 15:35:15 MDT 2014 ImplVersion: 12.1.3.0
Oracle Universal Connection Pool ImplVersion: 12.1.0.2.0
Oracle Security Developer Tools Security Engine ImplVersion: 3.1.0
Oracle Security Developer Tools Crypto ImplVersion: 3.1.0
WebLogic EclipseLink Integration 3.1 Mon Sep 9 22:09:00 UTC 2013 ImplVersion: 3.1.0.0

Also, I have reviewed the vulnerability's status and confirmed that it is mitigated in 8.4 Patch 13 which is tentatively dated to release on July 1st 2020.
Like • Show 0 Likes0
Actions
- Bharath Madhiraju @ Don Rand on May 8, 2020 12:45 PM
  Unmark Correct
  Correct Answer
  RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly. Follow the RSA SecurID Access Product Advisories space for a notification when it is released.
  Like • Show 0 Likes0
  Actions
Jay Guillette May 12, 2020 9:58 AM
Mark Correct
Correct Answer
AM 8.4 P13 is tentatively scheduled for General Release June 1, 2020.
If you can't wait until then, you could contact Customer Support.
Like • Show 0 Likes0
Actions

Does 8.4 Patch 12 addresses CVE-2020-2883?

Outcomes

Related Content

Recommended Content