Does 8.4 Patch 12 addresses CVE-2020-2883? Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0
On the Read me for both Authentication Manager and Webtier it states:
AM-37489. Updated the version of Oracle WebLogic used by the RSA Authentication Manager.
AM-37489 – Updated the version of Oracle WebLogic used by the web tier server.
To what version was Oracle WebLogic updated to in Patch 12?
- am 8.4 patch 12
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
We are still on 8.4 Patch 11 but I opened a ticket with RSA technical support today to find out the same thing. He said that CVE-2020-2883 will be in 8.4 Patch 13 slated for a July 1 release. See response below:
Command to verify the weblogic version on AM Server;
/opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@app82p:~> /opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose
WebLogic Server 18.104.22.168.0 Wed May 21 18:53:34 PDT 2014 1604337 ImplVersion: 22.214.171.124.0
Oracle WebLogic Server Module Dependencies 12.1 Tue Mar 11 15:35:15 MDT 2014 ImplVersion: 126.96.36.199
Oracle Universal Connection Pool ImplVersion: 188.8.131.52.0
Oracle Security Developer Tools Security Engine ImplVersion: 3.1.0
Oracle Security Developer Tools Crypto ImplVersion: 3.1.0
WebLogic EclipseLink Integration 3.1 Mon Sep 9 22:09:00 UTC 2013 ImplVersion: 184.108.40.206
Also, I have reviewed the vulnerability's status and confirmed that it is mitigated in 8.4 Patch 13 which is tentatively dated to release on July 1st 2020.
We have applied Patch 13 in our QA environment. Is there is steps how to verify the oracle weblogic vulnerability is fixed in our environment.
The April CPU is for Web Logic version 220.127.116.11.0, so updating from AM 8.4 to AM 8.4 P13 does not change the Web Logic version in the first 4-5 digits, it changes the patch ID or build number after the 18.104.22.168.0.
When you run ./opatch lsinventory
scroll down to the patch description to see something like
22.214.171.124.0 (ID:200406) for April 6th 2020
followed by created Date which should be at or close to April 2020.
These numbers and IDs will be higher that what you had before.
Don't focus on the Oracle Web Logic version alone, e.g. 126.96.36.199.0.
The Govt. DHS web site says unpatched versions of WL 188.8.131.52.0 are vulnerable, it does not say all versions of WL 184.108.40.206.0 are vulnerable.
Patched versions of WL 220.127.116.11.0 are not vulnerable. CVE-2020-2883 is addressed with Recommended Patch 13 for AM 8.4 - https://community.rsa.com/docs/DOC-112584
But if you still want to verify at the OS or Web Logic level, you need to look through the list of patches not just the version.
On a Web Tier
cd /opt/RSASecurity/RSAAuthenticationManagerWebtier ls -l * uname -a ps -ef | fgrep -i rsa cd appserver/wls/OPatch ./opatch lsinventory ../../jdk/bin/java -version