Re: How to upgrade Oracle WebLogic-ESXi

JohannaLeon · ‎11-19-2020

Good morning,

My question is regarding Oracle WebLogic: Oracle Security Alert Advisory - CVE-2020-14750. This is a vulnerability that the system found. So, the solution to this vulnerability is to upgrade Oracle WebLogic for one of the versions below. I have 3 servers with ESXi 6.7 EP 17 build number 17098360. I was researching how can I do it. However, I could not find it. I suppose when I upgraded ESXi to the latest version. Oracle was upgraded like part of the internal packages of ESXi. What is the command to get the Oracle WebLogic version in ESXi?

oracle-WebLogic-10_3_6_0_0-apply-patch-32097188
oracle-WebLogic-12_1_3_0_0-apply-patch-32097177

I appreciated if you can confirm my assumption or guide me on how can I proceed in order to resolve it.

Thanks in advance for your time and support.

a_p_ · ‎11-21-2020

Unless I'm missing something, ESXi neither has Oracle Weblogic installed, nor does it support this in the Hypervisor.
Can you please clarify what exactly you are looking for?

André

scott28tt · ‎11-21-2020

@JohannaLeon

If you are running WebLogic in VMs that just happen to be running on ESXi hosts, your patching will be applied via the guest OS you have running in those VMs.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

JohannaLeon · ‎12-01-2020

Hello Andre and Scott,

Responding your question. We have MS SQL Server and Crystal Server running as a VM in the ESXi host. We'll apply the patches to those two VM's and hopefully the Weblogic vulnerability on the ESXi host will go away too.

Will let you know.

Thank you!

scott28tt · ‎12-01-2020

@JohannaLeon

But did “the system” find the vulnerability inside the ESXi software, or inside the software you run inside your VMs?

If the latter, this issue and the solution to it has nothing to do with ESXi.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

JohannaLeon · ‎12-02-2020

This vulnerability was found both in ESXi and inside of the VMs.

scott28tt · ‎12-02-2020

@JohannaLeon

I suspect "the system" is only flagging up the ESXi hosts as it understands that's where the VMs are running, and therefore a false positive, but seeing as you give no clues as to what "the system" is I'm guessing...

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

JohannaLeon · ‎12-02-2020

The program that our customer used to scan our system is InsightVM.

After doing the research and looked up the Oracle WebLogic in our VMs (SQL and Crystal) servers. So, we found that Oracle WebLogic wasn't installed on those servers, but we found some config files in some application file folders with this name. For our VM Servers, we used as web browser server Apache Tomcat.

scott28tt · ‎12-02-2020

@JohannaLeon

I would ask them for more evidence as to what ESXi vulnerabilities they think you have in your environment, and review the advisories here: https://www.vmware.com/security/advisories.html

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

All

How to upgrade Oracle WebLogic-ESXi