Overview
ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.
In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.
Mitigation
OBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems.
Solution
Apply the appropriate patch according to the July 2017 Oracle Critical Patch Update advisory here.
Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel
Signup for Exclusive "Subscriber-only" Content
More from Middleware Inventory
Oracle Weblogic Basic AuthenticationOverview Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false. Procedure To disable Oracle WebLogic Server authentication: In a text editor, open the xmlfile from the domain folder. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory. Locate the <security-configuration> Add the…
-
Weblogic 12c Oracle Datasource TNS ExceptionProblem While creating a Oracle Data source in weblogic 12c, If you are encountering the below error message upon TestConnection. Though all the SID(Database name) and Host and Port are Correct Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor…
Oracle WebLogic Java Deserialization Vulnerability (CVE-2018-2628) Overview Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server via unsafe deserialization of Java objects. Successful…
-
What is ORACLE_HOME,MW_HOME,WL_HOME in Weblogic 12cThe Objective In this post, we are going to see what are the different types of home directories available in weblogic and the various options or methods to find the ORACLE_HOME, MW_HOME and WL_HOME of your weblogic 12c installation. The commands and the methods are mostly given for the LINUX…
-
WebLogic Remote Code Execution Vulnerability (CVE-2019-2725)Overview Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts. This vulnerability was identified in China by China National Vulnerability Database (CNVD) published a Security Team, they have issued a bulletin about an unauthenticated remote command execution (RCE)…
