Oracle customers are beginning to get a rare vulnerability notification outside of the quarterly Critical Patch Update. This update refers to a security vulnerability for Oracle WebLogic, IBM WebSphere and other Java web servers, which affects EPM and BI products as well as many other applications built on Oracle’s Fusion Middleware.
The vulnerability allows remote execution of code on the web server without a login ID or password. Basically, a Java application can be written to exploit this vulnerability allowing a hacker to force WebLogic to run a command on the server. Obviously, this could be very bad for your WebLogic server.
Due to the high Common Vulnerability Scoring System (CVSS) score of 7.5, Oracle is informing its customers of mitigation instructions while patches for this vulnerability are being worked on. My Oracle Support document 2076338.1 lists mitigation options for WebLogic. Oracle has another MOS article (2075927.1) that lists the patches and minimum releases that will be fixed by those patches. It’s very important to note that we will likely need to first patch our WebLogic to the minimum release and then apply the security patch to fix this vulnerability.
At this time, the options are limited to either blocking all T3 traffic from reaching your WebLogic server (like RMI through an HTTP server (like Oracle HTTP Server or Apache) or by blocking undesirable T3 traffic on WebLogic using Network Connection Filters to refuse any connections from undesirable IPs.
While this vulnerability is a little scary, most EPM and BI environments are internal applications and are not facing the internet where the possibility of malicious attack is much more likely. For those environments that are internet-facing, your security team is likely already on top of this vulnerability once it was confirmed last Friday by FoxGlove Security. The sad part is that the vulnerability was brought to the public in January at AppSecCali and hadn’t been addressed at all. If you really want to geek out, check out the links for full details.
I don’t pretend to be cool enough to understand exactly how the vulnerability works in Java, but I do know that some malicious code could really ruin your day. Stay tuned to the My Oracle Support documents listed above as more details come and patches for WebLogic are eventually released.