Oracle Security Alert Advisory - CVE-2019-2729
Purpose:
Easily exploitable vulnerability allows unauthenticated attacker with network access
via HTTP to compromise Oracle WebLogic Server. Successful attacks of this
vulnerability can result in takeover of Oracle WebLogic Server and exploited over a
network without the need for a username and password. As a result, it is imminent
that we apply WebLogic patch.
Most recent patches are listed here:
https://www.oracle.com/security-alerts/
In specific, most recent WebLogic patches are listed here:
https://www.oracle.com/security-alerts/alert-cve-2019-2729.html
From here, navigate to “Fusion Middleware”
Which takes you to:
Security Alert CVE-2019-2729 Patch Availability Document for Oracle WebLogic
Server (Doc ID 2555019.1)
Overview:
Hyperion version 11.1.2.4 uses WebLogic 10.3.6 (screenshot below). We need to
apply Common Vulnerabilities and Exposures CVE patches for 10.3.6. Each PSU
patch is packaged as a single cumulative patch). Also beginning January 2019, WLS
10.3.6 is under Extended Support. It is required to use Java SE 7 with WLS 10.3.6 as
Java SE 6 has reached the end of Extended Support (Doc ID 952075.1).
Sensitivit
y Label:
General
�10.3.6 Patch Set Updates
Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS) (Doc ID
1470197.1)
Steps to Upgrade:
1. Run Hyperion Stop Script and ensure all WebLogic processes are stopped.
2. Remove any previously applied WebLogic Server Patch Set Update and
associated overlay patches.
Windows
cd D:\Oracle\Middleware\utils\bsu
bsu.cmd -remove -patchlist=[patch] -D:\oracle\middleware\wlserver_10.3
Linux
Sensitivit
y Label:
General
� cd /u01:/Oracle/Middleware/utils/bsu
./bsu.sh -remove -patchlist=[patch]
-prod_dir=/u01/Oracle/Middleware/wlserver_10.3
3. Apply WLS BSU Smart Update Patch 12426828 (Doc ID 2271366.1)
Windows
Unzip p12426828_1035_Generic.zip to C:\temp
Launch command prompt and run
java -jar patch-client-installer330-generic32.jar
Follow prompts
Sensitivit
y Label:
General
�Sensitivit
y Label:
General
�Linux
Unzip p12426828_1035_Generic.zip to /u01/Hyperion
Launch putty and run
./java -jar /u01/Hyperion/p12426828_1035/patch-client-installer330-generic32.jar
Follow prompts
Sensitivit
y Label:
General
�JAVA 7 Upgrade:
Follow notes published in OneNote.
DO NOT PROCEED UNTIL JAVA UPGRADE IS SUCCESSFUL!
Patch p30857748 (Q3ZB WebLogic Patch):
Windows
Download and copy file to
Sensitivit
y Label:
General
�Update bsu.cmd with the new java home and bump up the JVM settings
Sensitivit
y Label:
General
�Linux
Update bsu.sh with the new java home
And bump up the JVM settings
Run
./bsu.sh -install -patch_download_dir=/u01/Oracle/Middleware/utils/bsu/cache_dir -
patchlist=Q3ZB -prod_dir=/u01/Oracle/Middleware/wlserver_10.3
Download patch 18561746 to address ODL issue and unzip
Sensitivit
y Label:
General
�(I didn’t have to install this on the windows machine for).
Windows
copy 18561746 to D:\Oracle\Middleware\oracle_common\OPatch
cd D:\Oracle\Middleware\oracle_common\OPatch
opatch apply D:\Oracle\Middleware\oracle_common\OPatch\18561746 -jdk D:\
Oracle\Middleware\jdk170_181
Linux
copy 18561746 to /u01/Oracle/Middleware/oracle_common/OPatch
cd /u01/Oracle/Middleware/oracle_common/OPatch
./opatch apply /u01/Oracle/Middleware/oracle_common/OPatch/18561746 -jdk
/u01/Oracle/Middleware/jdk170_181
Sensitivit
y Label:
General
�Hyperion Verification
WL Version Check
Before
After:
WebLogic Server 10.3.6.0.200414 PSU Patch for BUG30857748 that you see in the
screenshot below is the Q3ZB patch
Sensitivit
y Label:
General
