WebLogic vulnerability in Oracle EPM and BI: Security Alert CVE-2015-4852

Oracle customers are beginning to get a rare vulnerability notification outside of the quarterly Critical Patch Update.  This update refers to a security vulnerability for Oracle WebLogic, IBM WebSphere and other Java web servers, which affects EPM and BI products as well as many other applications built on Oracle’s Fusion Middleware.

The vulnerability allows remote execution of code on the web server without a login ID or password.  Basically, a Java application can be written to exploit this vulnerability allowing a hacker to force WebLogic to run a command on the server. Obviously, this could be very bad for your WebLogic server.

Due to the high Common Vulnerability Scoring System (CVSS) score of 7.5, Oracle is informing its customers of mitigation instructions while patches for this vulnerability are being worked on.  My Oracle Support document 2076338.1 lists mitigation options for WebLogic.  Oracle has another MOS article (2075927.1) that lists the patches and minimum releases that will be fixed by those patches.  It’s very important to note that we will likely need to first patch our WebLogic to the minimum release and then apply the security patch to fix this vulnerability.

At this time, the options are limited to either blocking all T3 traffic from reaching your WebLogic server (like RMI through an HTTP server (like Oracle HTTP Server or Apache) or by blocking undesirable T3 traffic on WebLogic using Network Connection Filters to refuse any connections from undesirable IPs.

While this vulnerability is a little scary, most EPM and BI environments are internal applications and are not facing the internet where the possibility of malicious attack is much more likely.  For those environments that are internet-facing, your security team is likely already on top of this vulnerability once it was confirmed last Friday by FoxGlove Security.  The sad part is that the vulnerability was brought to the public in January at AppSecCali and hadn’t been addressed at all.  If you really want to geek out, check out the links for full details.

I don’t pretend to be cool enough to understand exactly how the vulnerability works in Java, but I do know that some malicious code could really ruin your day.  Stay tuned to the My Oracle Support documents listed above as more details come and patches for WebLogic are eventually released.


One comment

  1. What I can’t understand is why Oracle EBUsiness Suite R12.1, which runs on OAS (also J2EE-based), is not also affected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s