Tag Archives: security

Although it’s a few days old, I’d like to point out an article by my colleague Markus Knies who had to deal with this vulnerability right on day zero:

Oracle released the quarterly critical patch updates on April 16th, 2019. Only one week later a zero-day vulnerability was identified by the KnownSec-404 security team. The vulnerability exists in Oracle Weblogic Server and has been labeled as CVE-2019-2725 and is also reported by the BSI (Bundesamt für Sicherheit in der Informationstechnik, Zero-Day-Schwachstelle in Oracle WebLogic Server, 25.04.2019).

Affected modules for this vulnerability are the wls9_async_response package with its components wls9_async and wls-wsat. With the help of these two modules it is possible to execute malicious content with elevated privileges.

Oracle reacted fast, broke the regular patch process, and launched an independent emergency patch on April 26th,2019:

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Oracle reports that there is only an impact at the following versions: Oracle WebLogic Server, versions 10.3.6.0 and 12.1.3.0.

The BSI announces that all versions of Oracle WebLogic-Server are affected (also including the currently actual version 12.2.1.3).

The vulnerability CVSS score for this issue is 9.8. It is highly recommended to install this patch as soon as possible in affected systems.

Related Links:

Oracle – Oracle Security Alert Advisory: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

F5L2019 – F5 Labs: Twitter-Meldung: https://mobile.twitter.com/F5Labs/status/1120822404568244224/photo/1

Pag2019 – Pierluigi Paganini: „Zero-day vulnerability in Oracle WebLogic“: https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

Heise – Oracle WebLogic Server via Zero-Day-Lücke aus der Ferne angreifbar (26.04.2019): https://www.heise.de/security/meldung/Oracle-WebLogic-Server-via-Zero-Day-Luecke-aus-der-Ferne-angreifbar-4408439.html

Heise – Oracle patcht kritische Lücke in WebLogic Server außer der Reihe (29.04.2019): https://www.heise.de/security/meldung/Oracle-patcht-kritische-Luecke-in-WebLogic-Server-ausser-der-Reihe-4409153.html?wt_mc=rss.security.beitrag.atom

via Zero Day vulnerability in Oracle WebLogic Servers – Oracle Patch available | The Cattle Crew Blog

JDBC, Linux and Entropy

Some troubles — especially those happening only sporadically — are not so easy to shoot and call for a deeper understanding of the matter. In the following real-world example this means: SQL*Net Tracing and some knowledge about the inner workings of the server’s operating system, particularly random number generation.

This case was suited well to demonstrate an approach to trouble-shoot connections to Oracle databases.

Continue reading

Enable HyperFIDO U2F Key on Linux

Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”).

This works fine and easy on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely documented on the web, but very often erroneous or outdated. Here’s what I found:

Continue reading