Oracle WebLogic Server

2020: Detection of the vulnerability allowing to be connected using the service URL address, available from the Internet, to the server

On August 7, 2020 Positive Technologies reported that her expert Arseny Sharoglazov detected vulnerability in servers Oracle the WebLogic Server applications. Using available of Internet service URL- the address malefactors can be connected to a system, pick up the login and password for access and perform remote reading of files (remote file reading). Products of the Oracle WebLogic family are used tens of thousands of the companies worldwide.

Average degree of danger on a scale of CVSS is appropriated to vulnerability of CVE-2020-14622 (Basic assessment: 4.9).

The problem is aggravated with the fact that many system administrators do not suspect about existence of this URL and a combination of the standard login and password for access to it. Usually the WebLogic admin panel is located on the certain port and is unavailable from the Internet, and system configuration is established using special scripts which contain default data for access to service URL.

Using this lack of security malefactors can get access to Oracle WebLogic Server and read out any files which are on the server. Depending on the organization which possesses the server on it there can be personal data of users, configuration files of the important systems, source codes of applications in which vulnerabilities can be also detected.

For carrying out the attack it is enough to malefactor to have average qualification. It is possible to detect vulnerability using automated systems of scanning, and for its operation the hacker should write the simple code in the Java language.

During projects according to the analysis of security we met this vulnerability in the banking systems certified under PSI DSS— the researcher of Positive Technologies Arseny Sharoglazov says. — These are complex systems: DMZ where install several servers, including several WebLogic is under construction, SQL- bases, all this is isolated and audited, the proxying nginx and WAF are put, but administrators do not know about the accessibility to infrastructure using service URL, and it undermines protection.

For risk reduction, CVE-2020-14622 connected with operation of vulnerability, experts of Positive Technologies recommend to set the security update released by Oracle and also to change the standard password for access to service URL. In addition the companies using the products Oracle WebLogic Server in the infrastructure can reduce risks of operation of vulnerability of CVE-2020-14622 using regular testing for penetration and uses of specialized means of protecting.

2013: Oracle WebLogic Server 12.1.2

The release of the new version of the Oracle WebLogic Server 12.1.2 application server was announced by Oracle corporation on August 5, 2013.

Oracle WebLogic Server is optimized for work on Oracle Exalogic Elastic Cloud entering into family of the optimized hardware and software systems Oracle Engineered Systems

New in functionality

• The new version of Oracle WebLogic Server 12.1.2 uses a dynamic clustering for bigger "flexibility of a cloud" and effective management of resources, simplifies administration of Java Messaging Service (JMS).
• The full certified support and integration into Oracle Database 12c, including support of access to the consolidated databases in multirent architecture and also ensuring continuity of operation of applications and high data availability.
• Support of Apache Maven for version control and is expanded lifecycle, support of HTML5, Java and WebSockets for development of mobile and cross-platform applications is implemented.
• The server provides the declarative, based on JSON or XML access to corporate data sources via the interface of the distributed REST applications (Representational State Transfer) using Oracle TopLink services.

2011: Oracle WebLogic Server 12c

The Oracle corporation announced in December, 2011 release of Oracle WebLogic Server 12c — the new version of the application server for the traditional systems, the optimized hardware and software systems and environments of cloud computing. Being a key part of the Oracle Cloud Application Foundation platform and a core of the family Oracle Fusion Middleware, Oracle WebLogic Server continues to give new innovation opportunities for creation, deployment and accomplishment of the Java EE applications (Java Platform, Enterprise Edition).

The new version of Oracle WebLogic Server 12c offers the important expansions and improvements designed to help clients and partners to reduce the total cost of ownership and to receive big return from the existing infrastructure of applications at simultaneous acceleration of a development cycle and reduction of terms of an output to the market of new applications.

Oracle WebLogic Server 12c is certified for the complete specification of the Java EE 6 platform that provides the increased efficiency of work of developers with the modern, based on standards API interfaces, including Servlet 3.0, JAX-RS 1.1, Java Server Faces 2.1, EJB 3.1, Context and Dependency Injection for Java and many others. Besides, developers on the Oracle WebLogic Server platform can use the Java Platform Standard Edition functions (Java SE) 7 for creation of a program code, better and convenient for maintenance, now.

Oracle WebLogic Server 12c provides a full support of management of dependences and the unified build process through the updated connected module for Apache Maven. At the same time, the application server of the new version is directly integrated with Oracle Traffic Director (OTD), a new component of the Oracle Fusion Middleware family that adds features for routing of traffic of applications with the high level of performance and availability, dynamically configured caching and balancing of loading and also supports a proxy for HTTP-applications. Besides, Oracle Virtual Assembly Builder technology, using graphic tools and open API interfaces of web services based on PaaS delivery pattern ("the platform as service"), provides the simplified configuring and configuration of multilevel corporate applications in the environments virtualized using Oracle VM.

"With release of the new version of Oracle WebLogic Server 12c clients can use the application server for receiving bigger return from the existing infrastructure, for simplification of deployment and management of applications and also for acceleration of an output to the market of new applications through increase in efficiency of developers — Cameron Purdy, the vice president of Oracle for development noted. — Besides, thanks to Oracle WebLogic Server 12c clients will be able to master better cloud computing and to use the infrastructure for creation of private and public cloud computing architectures and then with ease to switch between internal and external infrastructure in process of change of requirements".

According to developers, clients can use Oracle WebLogic Server 12c in for the solution of the tasks, most important and critical for business, thanks to high security and readiness of this platform. The improved integration between Oracle WebLogic Server and Oracle Real Application Clusters (RAC) allows to reveal and adjust automatically failures of nodes (sections) of the database for support of high performance and simpler management.

In turn, new features of disaster recovery allow clients to store data in files or in the database, including an option of preserving of the transaction log in the database. It gives the chance to use the technologies of the approved replication integrated into the database together with Oracle GoldenGate and Oracle Active Data Guard for all dynamic these applications, including magazines of registration of online activity, magazines of a message transfer service Java Message Services (JMS) and transaction logs, explained in Oracle.

Among other features of Oracle WebLogic Server 12c it is also necessary to note the support of the cryptographic Transport Layer Security (TLS) 1.2 protocol (the successor of the Secure Sockets Layer/SSL protocol) increasing security of applications.

Oracle WebLogic Server is optimized for application as high-performance and elastic cloud infrastructure for support of accomplishment of crucial corporate applications on Oracle Exalogic Elastic Cloud — a hardware and software system for cloud computing. The application server of Oracle is also key Oracle Java Cloud Service component — the corporate platform for development, deployment and management of crucial business applications of Java EE.

2010: Structure of Oracle WebLogic Server

Oracle WebLogic Server developed by Oracle corporation is created on the platform of products of the Java EE family and for December, 2010 includes:

• Java EE, WebLogic Application Server application server
• enterprise portal, WebLogic Portal
• integration framework of corporate applications
• server of transactions and infrastructure, WebLogic Tuxedo
• telecommunication platform, WebLogic Communication Platform
• HTTP Web server