The most recent wave of cyber attacks continue to target Oracle’s Weblogic — a middleware technology commonly used in many leading software packages, including Oracle Hyperion EPM on-premise software (Reference: CVE-2019-2725 and CVE-2019-2729). Specifically, various public articles reference the most immediate threat to be from Sodinokibi — a form of ransomware that is a malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
However, based on our ongoing analysis of the exploitation, there are there are greater repercussions for Oracle Hyperion EPM installations.
Oracle released a security patch on April 26 but research indicates that attackers have been exploiting the flaw since April 20, 2019. The patch may be downloaded directly from Oracle at https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
[Updated 19-06-19] Oracle also released a subsequent security patch on June 19 (which addresses both CVE-2019-2725 as well as the new CVE 2019-2729). Additional information may be found directly from Oracle at https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
Note that since this is being released as an exceptions patch, pre-requisite patch set updates will likely be required and accordingly, is not a simple patch installation due to the number of interdependent patches and components that will be impacted. Additional measures outside of the patch installation is expected to be required as well.
We will be providing additional general updates on this page as they become available.
However, our suggestion is to circulate this information to your information security, infrastructure, and Hyperion Administrator team as soon as possible so that a more holistic and appropriate incident response plan may be formulated, managed, and executed.
Call For Action (updated 2019-06-19 09:30E):
- Review and update perimeter and end-point security for CVE-2019-2725 and CVE-2019-2729.
- Prioritize risk assessment and response efforts in instances where Weblogic is utilized in internet-facing solutions.
- Secure a full back-up of the database /operating system level / VMDK snapshot (note: this may need to be prior to April 17, 2019 when the ransomware attacks were first noted)
- Deep scan the back-up to ensure that it is malware free
- Perform a patch assessment of your Oracle Hyperion EPM platform (note: this may be a mid to longer term remedial effort)
- Assemble a cross functional task force to formulate your tactical and longer term security incident response plan (include Oracle EPM solution experts on the task force where available to assist)
- Where timely patching is not an option, explore mechanisms that can limit the exposure (note: there are a few tactical quick fixes available)
Note: every Oracle EPM instance is unique so may require environment specific actions and broader actions to be take
Should you have any further questions on this matter, you can email us at firstname.lastname@example.org.
#tgg #securitymatters #sodinokibi #weblogic #hyperion