back to article If you're using Oracle's WebLogic Server, check for security fixes: Bug exploited in the wild to install ransomware

IT admins overseeing Oracle's WebLogic Server installations need to get patching immediately: miscreants are exploiting what was a zero-day vulnerability in the software to pump ransomware into networks. The Cisco Talos security team said one its customers discovered it had been infected via the bug on April 25, though the …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Three wrongs and a right.

      1) "WebLogic is the base web server software through which Oracle APEX apps are exposed, right?"

      Wrong. There are a few ways to front APEX:

      - Oracle HTTPS Server (Apache) with mod_plsql. Not WebLogic.

      - Embedded PL/SQL Gateway. Not WebLogic.

      - Oracle REST Data Services (ORDS). Can run in standalone mode, on Tomcat, Glashfish (deprecated) or WebLogic. Although it is possible to front APEX with ORDS on WebLogic, very few people do because you can run it for free on Tomcat, so why pay for WebLogic licenses? From what I can see, most people run on Tomcat or standalone mode.

      2) "managed by people with no business building applications in the first place"

      Wrong. From what I see, most people using APEX are actually full time developers. It's often touted as a product regular folks can use, but in practice, it's developers, who also do PL/SQL and Javascript amongst other things.

      3) "If you're not running the latest version, no patch for you"

      Wrong. The terminal release of some old versions have lifetime support. This latest issue has patches available for WebLogic 11g (10.3.6) from 2012 and WebLogic 12cR1 (12.1.x) from 2014. The latest version of WebLogic is 12cR2 (12.2.1.3) and doesn't have the vulnerability, so it doesn't need the patch. If you've chosen to stay on some obscure version and not get up to the terminal release of your really old app server, you can;t really blame Oracle for not putting out a patch. I'm not sure if you've noticed, but even Microsoft aren't putting out patches for Windows 3.11... :)

      4) "If you're not currently under a support contract, no patch for you"

      Agreed, but I rarely see anyone running Oracle products without a support contract. If people are not willing to pay for the support, they tend to migrate off Oracle entirely.

      Conclusion : There are a lot of negative things that can be said about Oracle, but it's pretty clear from your response you don't actually know enough about the Oracle product set to make any comments that are worth other people reading. Perhaps you should educate yourself a bit before you launch into a tirade and make yourself look ignorant. :)

  2. Nate Amsden

    memories

    The support contract required to get the patch reminded me of this..

    Was at a company more than 10 years ago now that used Weblogic (back when it was BEA Weblogic). We used JMS for tons of stuff and had tons of bugs with it. At one point our performance/stability team tried to be proactive and asked BEA if there was any fixes for the JMS subsystem that we didn't have that we could get in advance given our troubled history with JMS on Weblogic.

    BEA said there was no fixes we didn't already have.

    Fast forward a month or two and we had a big outage with JMS, systems were down for at least a day or two. The customer that ran on this cluster was and still is a multi billion $ telecom(and a weblogic customer themselves). They were upset.

    I'll never forget being in my manager's office after the first day or so of downtime, every high level software person in the room with the senior ops people(me). Manager asks a simple question along the lines of "does anyone have any ideas on how we can fix this". There was no answer, they had no idea.

    We worked around the problem by basically dropping all of the data in the affected queues and things returned to normal but it took a long time for people to approve losing all of that data (in the end I don't recall it being too bad).

    Fast forward a month or so(for the folks to find the root cause) after that and BEA admits to us that not only was that ~2 day outage caused by a known bug in Weblogic, but they had a fix for it at the time we asked them for fixes. But it was a policy to not tell customers about these one off fixes unless they were specifically affected by the issue. The multi billion dollar telecom stepped in and.. BEA changed their policy(at least for us anyway).

    I suppose the upshot of Weblogic at that company(in reference to the article again) is it was never exposed to the internet, multi tier architecture apache terminated the http/ssl connections, then sent them to a tomcat tier over AJP, then tomcat did some things and for weblogic related things it sent requests to weblogic which was behind a firewall layer("app tier"). Learned a lot at that company, fun times..though could never repeat that experience (70-80hr+ per week for a couple of years, literally took me ~3 years to recover from that).

  3. Aodhhan

    No problem

    We have all of our web servers protected by Cisco, right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021