Patch your OEM and WebLogic Servers before hackers turn them into Cryptocurrency mining machines
What is it?
In April 2019, a security advisory was release for CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server that could be easily exploited, allowing unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Servers.
Showcase has emerged on the internet that the vulnerability was already being actively exploited to install cryptocurrency miners.
Am I affected?
The confirmed WLS versions being affected by this vulnerability are 10.3.6.0.0 and 184.108.40.206.0.
If you are using any of these WLS releases, you need to patch your system as soon as possible.
Moreover, WebLogic Server is now part of the integration of Oracle Enterprise Manager. If you are using any of the versions below, you need to patch your system as soon as possible.
220.127.116.11, 18.104.22.168, 22.214.171.124 versions of EM use WebLogic Server 10.3.6.0.
13.x version of EM uses WebLogic Server 126.96.36.199.0
What should I do?
If you are using any versions of the system mentioned above, you need to start patching plan immediately. While at it, maybe it’s a good time to patch your OEM systems and agents at the same time.
Downtime to the system and/or OEM is required during patching.
What patches should I apply?
If you are using standalone WLS 10.3.6, you need to apply one of the following patches:
- Jan PSU 10.3.6.0.190115 Patch 28710912 + Overlay Patch 29694149 on 10.3.6.0.190115, or
- Apr PSU 10.3.6.0.190416 Patch 29204678 + Overlay Patch 29694149 on 10.3.6.0.190416
If you are using standalone WLS 188.8.131.52, you need to apply one of the following patches:
- Jan 2019 PSU 184.108.40.206.190115 Patch 28710923 + Overlay Patch 29694149 on 220.127.116.11.190115, or
- Apr 2019 PSU 18.104.22.168.190416 Patch 29204657 + Overlay Patch 29694149 on 22.214.171.124.190416
Please note that the patches available for 10.3.6.0 and 126.96.36.199 versions are overlay patches, meaning they are created for respective PSU releases (January 2019, and April 2019). Please ensure that the required PSU/CPU is applied before applying the one-off patches.
If you are using Oracle Enterprise Manager with integrated WebLogic Server, you need to apply the following patches according to your OEM versions:
- April or Jan 2019 PSU for Oracle Enterprise Manager
- April or Jan 2019 PSU for Oracle Enterprise Manager Agents
- April or Jan 2019 PSU for Oracle WebLogic Server
- Vulnerability CVE-2019-2725 patch for Oracle WebLogic Server
If you are using integrated WebLogic Server with other products, please consult Oracle for further actions.
How to proceed?
Below is a high-level patch plan for patching operations. Normally you could just follow the README file that comes with the patches themselves. However, there are some notes that might help you with speedier and smoother patching:
- Upgrade opatch and OMSPatcher to the latest version that acceptable by OEM and WLS patching
OEM and WLS patching requires a certain version of opatch and OMSPatcher. For example, OEM 13.2 and WLS 12.1.3 requires OPatch to be at least 188.8.131.52.0, and OMSPatcher 184.108.40.206.3.
- Patching latest PSU to OEM
OPatchauto will require WLS URL and port number, admin username and password when performing patching operations. We could generate a property file, which contains the encrypted username/password and necessary info that will pass to OPatchauto for non-interactive patching.
Also, don’t forget to run the analysis before patching.
- Resolving conflicted patches for WLS PSU
If you are patching WLS that is part of OEM deployment, it’s highly likely that you will hit a few patch conflicts. Make sure to solve these conflicts before patching.
- Patching latest PSU to WLS
- Patching CVE-2019-2725 to WLS
- Patching latest PSU to OEM agents
Review the patching log carefully, especially if you patch several agents at a time. Sometime the patching might fail if run from OEM. In this case, you will have to do a manual patch.