Oracle WebLogic Vulnerabilities CVE-2019-2725 and 2729
Overview
On April 26 and June 18, 2019, Spok was alerted to zero-day deserialization vulnerabilities in Oracle WebLogic Server versions 10.3.6 and 12.1.3. Oracle WebLogic 10.3 is a component of SmartSuite 5.x.
These vulnerabilities can allow remote code execution on a server using WebLogic.
This vulnerabilities do not affect Smart Suite versions other than 5.x. Older versions such as 4.x do not use WebLogic at all, and the newest 7.x versions use WebLogic Server version 12.2 and higher, which does not have these vulnerabilities present.
Our primary concern is to help your institution eliminate the risks presented by this vulnerability. Below are instructions for mitigation. These mitigation steps have been validated by Spok and secure your system without impacting the operations of the SmartSuite solutions.
Spok Support will open a case on behalf of your institution to help work through the mitigation as tested by Spok. If you have not received notification of an open case by Wednesday, May 1st, please contact Spok through the regular support channels: www.spok.com/myspok or by calling 1-888-576-1383.
Resolution/Topic
Since the Spok Smart Suite web applications (Smart Suite/Smart Web/eNotify) do not use the asynchronous communication module within WebLogic, the simplest fix for this issue is to disable this module completely within the WebLogic server. This is done by removing all copies of two specific Web Application Resource (or .war) files from the server, and then restarting the WebLogic process. Spok development has created a bash script that automates this process.
Q&A
Q: How long will the remediation process take?
A: Roughly 20 - 30 minutes per server.
Q: Will I experience any downtime?
A: Only if you have a single web server system. Part of the remediation process is a restart of the WebLogic Server process which will cause all web applications on the server to inaccessible for approximately 10 minutes. If you have two (or more) web servers, we will perform the update one server at a time, so your web load balancer should direct all traffic to the other server while the restart is in progress once. Once the first server is completed, we'll update the second server. If you have a single web server, then your web applications (Smart Web, Smart Center, eNotify, EZNotify) will be unavailable for approximately 10 minutes while WebLogic is stopped and started.
Q: Do I need to have someone on site during the patching process?
A: As with any patching process, this is advisable. Spok does not anticipate any need for physical intervention on the servers, but the potential for such intervention (physically rebooting the server, visual analysis of the server, etc) is always present during patching.
Q: What does this mean if it's exposed to the Internet?
A: By this we mean your Spok Smart Suite applications or load balancer for your applications are directly public facing, and users are not required to be on a direct network connection or logged into a VPN to access the applications.
Q: Can I apply these fixes myself?
A: Due to the complexity of the Spok architecture, Spok highly recommends that you work with Spok Support to apply these changes to your systems in order to minimize potential business impact. Please refer to the Service Level Expectations document found in Spok knowledge for a complete list of services and recommendations offered by Spok Support. https://knowledge.spok.com/@api/deki/files/64039/Spok-SLE_v8.3.2.pdf?revision=1
Q: Will Spok apply this patch outside of normal business hours?
A: If you are a Premium Maintenance customer, applying updates outside of business hours is included in your maintenance agreement. If you are not a Premium Maintenance customer, we will work with you to apply these fixes during normal business hours. If you do need to have them applied outside of normal business hours, this can be done at an extra charge through a Professional Services Request.
Q: What is the risk to my system if I do not apply these changes?
A: If your web servers are exposed to the internet, or your network is somehow compromised, your Smart Suite web servers will be vulnerable to remote code execution by unauthorized persons. The most frequent use of this vulnerability that has been seen "in the wild" is crypto-currency mining, however since the Smart Suite system does sometimes contain both Personally Identifiable Information (PII) and Patient Health Information (PHI), the potential for compromise of that data does exist if this vulnerability is not patched.
Q: What is the risk to my system if I apply these changes?
A: The risk is minimal. The module that is being accessed via this vulnerability is not something that is used in the Spok Smart Suite software package, so disabling it will have no impact on the performance of the Spok system. The risks involved with the application of this patch are the same that exist with any patch.
Q: I have an upgrade planned, will this update be included in the upgrade?
A: If your next upgrade is to Care Connect 1.9 - running on Red Hat 7, this vulnerability does not exist in the version of WebLogic that is being used. If you are in the process of upgrading to Care Connect 1.8 (running on RHEL5), please discuss this with your Professional Services Project Manager to ensure this update is applied as part of the project.
Q: What other steps can/should I take?
A: There are two recommendations from Spok:
- We encourage all organizations to complete an inventory of all Oracle/WebLogic installs throughout their system to ensure that they are able to take a comprehensive approach to address this zero-day vulnerability. Please contact the respective vendors of those products to learn what their recommended remediation steps are.
- Please ensure that your organization has a fully tested back-up and recovery strategy for all of your Spok solutions (both virtual and physical) to minimize any downtime when restoring a Spok service or application after an unplanned event.
Related Defects:
DE28631