This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
GabiRamirez
New Contributor
New Contributor
‎2020-05-05 03:49 PM

Does 8.4 Patch 12 addresses CVE-2020-2883?

Jump to solution

Does 8.4 Patch 12 addresses CVE-2020-2883? Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0

 

On the Read me for both Authentication Manager and Webtier it states:

AM-37489. Updated the version of Oracle WebLogic used by the RSA Authentication Manager.

AM-37489 – Updated the version of Oracle WebLogic used by the web tier server.

 

To what version was Oracle WebLogic updated to in Patch 12?

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
BharathMadhiraj
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to drand
‎2020-05-08 09:25 AM

Jump to solution

RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly.  Follow the RSA SecurID Access Product Advisories space  for a notification when it is released.

View solution in original post

0 Likes
Reply
7 Replies
drand
New Contributor
New Contributor
‎2020-05-07 05:57 PM

Jump to solution

We are still on 8.4 Patch 11 but I opened a ticket with RSA technical support today to find out the same thing.  He said that CVE-2020-2883 will be in 8.4 Patch 13 slated for a July 1 release.  See response below:

 

Command to verify the weblogic version on AM Server;

 

 /opt/rsa/am/appserver/jdk/bin/java  -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose. 

 

Sample;

 

login as: rsaadmin

Using keyboard-interactive authentication. 

Password:<enter operating system password> 

Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local 

RSA Authentication Manager Installation Directory: /opt/rsa/am

rsaadmin@app82p:~> /opt/rsa/am/appserver/jdk/bin/java -cp /opt/rsa/am/appserver/wls/wlserver/server/lib/weblogic.jar weblogic.version -verbose

WebLogic Server 12.1.3.0.0  Wed May 21 18:53:34 PDT 2014 1604337  ImplVersion: 12.1.3.0.0

Oracle WebLogic Server Module Dependencies 12.1 Tue Mar 11 15:35:15 MDT 2014  ImplVersion: 12.1.3.0

Oracle Universal Connection Pool ImplVersion: 12.1.0.2.0

Oracle Security Developer Tools Security Engine ImplVersion: 3.1.0

Oracle Security Developer Tools Crypto ImplVersion: 3.1.0

WebLogic EclipseLink Integration 3.1 Mon Sep 9 22:09:00 UTC 2013  ImplVersion: 3.1.0.0

 

Also, I have reviewed the vulnerability's status and confirmed that it is mitigated in 8.4 Patch 13 which is tentatively dated to release on July 1st 2020.

0 Likes
Reply
BharathMadhiraj
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to drand
‎2020-05-08 09:25 AM

Jump to solution

RSA Authentication Manager 8.4 patch 13 is scheduled to be released shortly.  Follow the RSA SecurID Access Product Advisories space  for a notification when it is released.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-05-12 09:58 AM

Jump to solution

AM 8.4 P13 is tentatively scheduled for General Release June 1, 2020.

If you can't wait until then, you could contact Customer Support.

0 Likes
Reply
SabithaBaskar
Beginner
Beginner
In response to drand
‎2020-06-03 09:11 AM

Jump to solution

We have applied Patch 13 in our QA environment. Is there is steps how to verify the oracle weblogic vulnerability is fixed in our environment.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to SabithaBaskar
‎2020-06-03 05:59 PM

Jump to solution 
SSH to Linux with rsaadmin credentials

cd /opt/rsa/am/appserver/wls/OPatch ./opatch lsinventory
0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2020-06-04 01:12 PM

Jump to solution

The April CPU is for Web Logic version 12.2.1.3.0, so updating from AM 8.4 to AM 8.4 P13 does not change the Web Logic version in the first 4-5 digits, it changes the patch ID or build number after the 12.2.1.3.0.

 

When you run ./opatch lsinventory

scroll down to the patch description to see something like

12.2.1.3.0 (ID:200406) for April 6th 2020

followed by created Date which should be at or close to April 2020.

 

These numbers and IDs will be higher that what you had before.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2020-07-06 02:18 PM

Jump to solution

Don't focus on the Oracle Web Logic version alone, e.g. 12.2.1.3.0.  

The Govt. DHS web site says unpatched versions of WL 12.2.1.3.0 are vulnerable, it does not say all versions of WL 12.2.1.3.0 are vulnerable.

https://www.us-cert.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883

Patched versions of WL 12.2.1.3.0 are not vulnerable.  CVE-2020-2883 is addressed with Recommended Patch 13 for AM 8.4 - https://community.rsa.com/docs/DOC-112584

But if you still want to verify at the OS or Web Logic level, you need to look through the list of patches not just the version.

On a Web Tier

cd /opt/RSASecurity/RSAAuthenticationManagerWebtier ls -l * uname -a ps -ef | fgrep -i rsa cd appserver/wls/OPatch ./opatch lsinventory ../../jdk/bin/java -version
0 Likes
Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.