Since the last Oracle Critical Patch Update in April, there have been two additional patches released by Oracle (29694149/29800003) to address critical vulnerabilities (CVE-2019–2725 and CVE-2019-2729) with the Weblogic Server 10.3.x version used by Oracle EPM.
If you are up to date with your April Weblogic CPU’s then the additional patch to apply is:
Patch: 29800003 [IL49] for CVE-2019-2729 (includes CVE-2019–2725)
The updates are considered extremely critical, receiving a CVSS Score of 9.8 out of 10. This vulnerability is relatively simple to execute due in part to being low complexity, and requiring no elevated privileges. No user actions are required to initiate it and it can be carried out remotely over HTTP.
This vulnerability significantly impacts the Confidentiality, Integrity and Availability (CIA) of an EPM system. As such, it’s considered critical that the WebLogic Patch 29800003 is applied as soon as possible.
In short, an attacker with HTTP access to the Weblogic Admin Console/Enterprise Manager can take full control of Weblogic and use it for their own goals.
Suggested Methods For Mitigation
Unless you are using the SOA components within your EPM environment (eg FCM and QMR) or using the Weblogic Console/Enterprise Manager for monitoring EPM, the affected Weblogic components where the vulnerability resides are not critical for the correct functioning of EPM in a typical Oracle EPM environment. This means one possible mitigation is simply to stop the Weblogic Admin Service. If the Admin service is not running, then there is nothing for the attacker to attack.
Additionally, you can limit the exposure of the Weblogic Admin Server, ensuring that the Weblogic Admin Server is not accessible from outside of the EPM environment.
How to address the issue?
Ultimately the best solution is to patch all instances of Weblogic in line with Oracle recommendations. Note that patching should first be tested in a non-production environment, the EPM functionality tested and then when suitably reassured the patch rolled out to production.
inlumi can help you with patching your EPM system. Get in touch.
