Data Center Security

I know they have been around for a few months already, but I received a request to mitigate against Oracle WebLogic vulnerabilities CVE-2019-2725 and CVE-2019-2729 that were reported being exploited back around April 2019, by using DCS:SA IPS policies.  Admittedly, we've only really used DCS:SA for FIM (IDS), but have applied IPS policies for OS/kernel hardening for EOL OS's.

Does anyone have experience with applying an IPS policy to specifically mitigate WebLogic or point us in the right direction on how best to apply a targetted prevention policy in this situation, while letting WebLogic still function?

Hi Bobkatt. 

Sounds like it might be a good use of the Profiling feature within DCS. You should find more in-depth information from the DCS Admin Guide about Profiling. You can find the appropriate version here - https://support.symantec.com/us/en/article.doc8925.html

But essentially the process allows you to profile an application over a period of time, where DCS will collate information regarding the application operation, then compile a custom sandbox for the application as required. This would allow you to define the sandbox as per your use case for the WebLogic, and will effectively harden the application to only your usage. And thus blocking any actions not recording by the profiling process - including the vulnerabilities. 

Just be aware, if there are actives or actions WebLogic does that aren't profiled, it will block these actions too. 

Hope this helps to point you in the right direction.