January 16, 2019 | Phil Etherton | Director, Security Services
While many businesses slowed down during the past few weeks, the insidious community of global hackers did not take a holiday break. That’s just one reason why our security team is continuously monitoring SAP and Oracle security issues and reading up on the latest vulnerabilities and exposures (CVEs).
Security and vulnerability management comes standard with our third-party software support, and we field customer inquiries throughout the year ranging from general security best practices to specific CVEs. As part of our Seven-Point Security Solution, we proactively send customized updates to specific customers with security concerns. With more in-demand or urgent issues, we also author internal papers on security topics and CVEs for the benefit of all customers.
Here are two of the CVEs related to Oracle WebLogic Servers (WLS) that have been popular topics in conversations with our customers in recent months. We have written white papers on each one. The papers include descriptions of the CVEs, vulnerability details, vulnerability verification steps, and suggested methods of resolution.
CVE-2019-2729: Asynchronous Response Vulnerability
CVE-2019-2729 is a WLS component vulnerability that attacks the WLS middleware host. This easily exploitable vulnerability affects the WebLogic Web Service Asynchronous Response (wls9_async_response) component, which is enabled by default. This CVE has a CVSS 3.0 base score of 9.8, which means it is rated as critical.
The vulnerability allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server (affected versions include 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0). Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. Publicly available details: https://nvd.nist.gov/vuln/detail/CVE-2019-2729
CVE-2017-10271: WLS-WSAT Remote Command Execution Bypass Vulnerability
CVE-2017-10271 is another WLS component vulnerability that attacks the WLS middleware host. This vulnerability affects the WebLogic Web Service Atomic Transactions (WLS-WSAT) component, which is not enabled by default. WebLogic Web services enable interoperability with other external transaction processing systems, such as WebSphere, JBoss, and Microsoft .NET, and you can determine if you have WLS-WSAT enabled through the WebLogic Admin Console.
The WLS versions affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (version 12.2.1.3 is unaffected). Also easily exploitable, this vulnerability is rated as high severity (7.5 base score). It allows an unauthenticated attacker with network access via T3 to compromise the Oracle WebLogic Server, and if successful, will result in a takeover of Oracle WebLogic Server. Publicly available details: https://nvd.nist.gov/vuln/detail/CVE-2017-10271
Do You Have Concerns about a Specific CVE?
Our security team strives to educate and assist our customers on CVEs like those described here. If you have an interest in WebLogic Server security issues – or any security topic related to a product that we support for you – please reach out to us at any time through your Account Support Lead or via our online contact form.