How to repair Weblogic & quot;Java deserialization & remote Command execution vulnerability in quot; procedure 03/26 Update SLTechnology News&Howtos

How to repair Weblogic & quot;Java deserialization & remote Command execution vulnerability in quot; procedure

2025-03-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/01 Report--

Editor to share with you how Weblogic fixes the vulnerability of remote command execution in the process of "Java deserialization". I hope you will get something after reading this article. Let's discuss it together.

1. Find the documentation and find the patch on https://support.oracle.com as follows:

CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware (Doc ID 2075927.1)

APPLIES TO:

Oracle WebLogic Server-Version 10.3.6 to 12.2.1.0.0

Oracle Fusion Middleware

Oracle WebLogic Server-Version 10.3 to 10.3

Information in this document applies to any platform.

This applies to any product deployment using Oracle WebLogic Server

PURPOSE

This document defines minimum releases and patches for the Oracle WebLogic Server component of Oracle Fusion Middleware to address the vulnerability described in the Oracle Security Alert for CVE-2015-4852: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

DETAILS

It is important to read the Oracle Security Alert before reading this document. The table below defines minimum releases and patches for Oracle WebLogic Server.

See also Note 2076338.1 CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware

N January 2016 CPU Update:

Beginning January 2016, CVE-2015-4852 fixes are now included in the below Patch Set Update (PSU) releases and higher:

12.2.1.0.1

12.1.3.0.6

12.1.2.0.8

10.3.6.0.13

N To obtain the latest cumulative PSU, refer to the Critical Patch Update program at http://www.oracle.com/technetwork/topics/security/alerts-086861.html. Review the latest Advisory and click the "Fusion Middleware" link within to obtain the latest cumulative Patch Availability Document.

N Important: If you have a version older than 10.3.6 or 12.1.2, you must upgrade as per the Error Correction Policy: Note 950131.1, "Error Correction Support Dates for Oracle WebLogic Server".

N The initial patching requirements from November 2015 are listed below with patch links for all versions under error correction support:

WLS Release

Required Patches

12.2.1.0Patch 22248372 for CVE-2015-485212.1.3.0PSU 12.1.3.0.5 (Patch 21370953) + Patch 22248372 for CVE-2015-485212.1.2.0PSU 12.1.2.0.7 (Patch 21364493) + Patch 22248372 for CVE-2015-485210.3.6.0PSU 10.3.6.0.12 (Patch 20780171), Smart Update Patch ID: EJUW) + Patch 22248372 for CVE-2015-4852

L Patches are not password protected for versions listed above. Older versions are now expired.

L Due to issues with linking to the standard My Oracle Support patch download page, the above links go to an alternative updates.oracle.com location. If you have firewall rules on your network, you should adjust accordingly for the links to work.

L You may also access these patches by going to the "Patches and Updates" tab, perform a search on the above numbers and select your version.

REFERENCES

NOTE:2076338.1-CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware

NOTE:1074055.1-Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products

two。 Download the patch and download the patch pack through the link at the original Required Patches. The version I use is 10.3.6.0, so the fix pack I need to download is PSU 10.3.6.0.12 (Patch 20780171) + 10.3.6.0.12 Patch 22248372 for CVE-2015-4852

3. Perform patching operations (note: different environments and paths of this article will be different)

[cams@JJ129077 dateFiles] $cd / home/cams/bea/middleware/wlserver_10.3/server/bin/

[cams@JJ129077 bin] $ls

International setWLSEnv.sh startNodeManager.sh

[cams@JJ129077 bin] $. . / setWLSEnv.sh

CLASSPATH=/home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/cams/bea/middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/usr/java/jdk1.6.0_45/lib/tools.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/cams/bea/middleware/wlserver_10.3/server/ Lib/weblogic.jar:/home/cams/bea/middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/webservices.jar:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/cams/bea/middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ Ant-contrib.jar:.:/usr/java/jdk1.6.0_45/lib/dt.jar:/usr/java/jdk1.6.0_45/lib/tools.jar

PATH=/home/cams/bea/middleware/wlserver_10.3/server/bin:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/bin:/usr/java/jdk1.6.0_45/jre/bin:/usr/java/jdk1.6.0_45/bin:/usr/java/jdk1.6.0_45/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin: / usr/local/sbin:/usr/sbin:/sbin::/home/cams/bin

Your environment has been set.

[cams@JJ129077 bin] $java weblogic.version

WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050

Use 'weblogic.version-verbose' to get subsystem information

Use 'weblogic.utils.Versions' to get version information for all modules

[cams@JJ129077 zip] $cd / home/cams/bea/middleware/utils/bsu

[cams@JJ129077 bsu] $. / bsu.sh-prod_dir=/home/cams/bea/middleware/wlserver_10.3/-status=applied-verbose-view

ProductName: WebLogic Server

ProductVersion: 10.3 MP6

Components: WebLogic Server/Core Application Server,WebLogic Server/Admi

Nistration Console,WebLogic Server/Configuration Wizard and

Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve

R,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC

Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S

Erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S

Erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog

Ic Server/Evaluation Database,WebLogic Server/Workshop Code

Completion Support

BEAHome: / home/cams/bea/middleware

ProductHome: / home/cams/bea/middleware/wlserver_10.3

PatchSystemDir: / home/cams/bea/middleware/utils/bsu

PatchDir: / home/cams/bea/middleware/patch_wls1036

Profile: Default

DownloadDir: / home/cams/bea/middleware/utils/bsu/cache_dir

JavaVersion: 1.6.0_29

JavaVendor: Sun

Upload p20780171_1036_Generic.zip and p22248372_1036012_Generic.zip to the DownloadDir:/home/cams/bea/middleware/utils/bsu/cache_dir path, and decompress

[cams@JJ129077 cache_dir] $unzip p20780171_1036_Generic.zip

Archive: p20780171_1036_Generic.zip

Extracting: EJUW.jar

Inflating: patch-catalog_22958.xml

Inflating: README.txt

[cams@JJ129077 cache_dir] $unzip p22248372_1036012_Generic.zip

Archive: p22248372_1036012_Generic.zip

Inflating: patch-catalog_23501.xml

Replace README.txt? [y] es, [n] o, [A] ll, [N] one, [r] ename: r

New name: README1.txt

Inflating: README1.txt

Inflating: ZLNA.jar

If you don't know how to patch, you can refer to the README file in p20780171_1036_Generic.zip, and the contents of README are attached at the end of the article. (stop Weblogic before patching, the easiest thing is to kill the process.)

[cams@JJ129077 bsu] $. / bsu.sh-install-patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/-patchlist=EJUW-prod_dir=/home/cams/bea/middleware/wlserver_10.3/-verbose

Exception in thread "main" java.lang.OutOfMemoryError: Java heap space

At com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies (PatchCatalogHelper.java:448)

At com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies (PatchCatalogHelper.java:464)

At com.bea.plateng.patch.dao.cat.PatchCatalog.getPatchDependencies (PatchCatalog.java:56)

At com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getInvalidatedPatchMap (PatchCatalogHelper.java:1621)

At com.bea.plateng.patch.PatchSystem.updatePatchCatalog (PatchSystem.java:436)

At com.bea.plateng.patch.PatchSystem.refresh (PatchSystem.java:130)

At com.bea.plateng.patch.PatchSystem.setCacheDir (PatchSystem.java:201)

At com.bea.plateng.patch.Patch.main (Patch.java:281)

[cams@JJ129077 bsu] $ls

Bsu.jar bsu.sh cache_dir patch-client.jar smartupdate.ico

[cams@JJ129077 bsu] $vi bsu.sh

[cams@JJ129077 bsu] $cat bsu.sh

#! / bin/sh

JAVA_HOME= "/ usr/java/jdk1.6.0_45"

MEM_ARGS= "- Xms2560m-Xmx5120m"

"$JAVA_HOME/bin/java" ${MEM_ARGS}-jar patch-client.jar $*

[cams@JJ129077 bsu] $. / bsu.sh-install-patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/-patchlist=EJUW-prod_dir=/home/cams/bea/middleware/wlserver_10.3/-verbose

Check for conflicts.

No conflict detected

Start installing patch ID: EJUW

Install / home/cams/bea/middleware/utils/bsu/cache_dir/EJUW.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/BUG20780171_1036012.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxp_1.4.5.0.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar

Update / home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar

Old inventory value: Class-Path=

New inventory value: Class-Path=../patch_jars/BUG20780171_1036012.jar. / patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar. / patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar. / patch_jars/glassfish.jaxb.xjc _ 1.2.0.0The 2-1-14.jar.. / patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar.. / patch_jars/glassfish.jaxp_1.4.5.0.jar.. / patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar

Decompress / home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar

Decompress / home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-io-2.4.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh

Decompress / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war

Decompress / home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.stax2_2.0.0.0_3-0-3.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar

Decompress / home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/bugsfixed/20780171-WLS-10.3.6.0.12_PSU_WebServices-ClientSide-Configuration-README.txt

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/bugsfixed/WLS-PSU-bugsfixed.txt

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Backup / home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp with / home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war

Decompress / home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp

Merge / home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp with / home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp with / home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp

Update / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp to / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp with / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp

Update / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp to / home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar

Decompress / home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp

Merge / home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp with / home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp with / home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp with / home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp

Update / home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp to / home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar

Decompress / home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp

Merge / home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp with / home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar

Result: success

[cams@JJ129077 bsu] $

[cams@JJ129077 bsu] $. / bsu.sh-install-patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/-patchlist=ZLNA-prod_dir=/home/cams/bea/middleware/wlserver_10.3/-verbose

Check for conflicts.

No conflict detected

Start installing patch ID: ZLNA

Install / home/cams/bea/middleware/utils/bsu/cache_dir/ZLNA.jar

Decompress / home/cams/bea/middleware/patch_wls1036/patch_jars/BUG22248372_1036.jar

Update / home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar

Old list value: Class-Path=../patch_jars/BUG20780171_1036012.jar. / patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar. / patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar. / patch_jars/glassfish.jaxb.xjc _ 1.2.0.0The 2-1-14.jar.. / patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar.. / patch_jars/glassfish.jaxp_1.4.5.0.jar.. / patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar

New inventory value: Class-Path=../patch_jars/BUG22248372_1036.jar. / patch_jars/BUG20780171_1036012.jar. / patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar. / patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar .. / patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar. / patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar. / patch_jars/glassfish.jaxp_1.4.5.0.jar. / patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar

Backup / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar to / home/cams/bea/middleware/patch_wls1036/backup/backup.jar

Decompress / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp

Merge / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp with / home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar

Result: success

4. View the patch information that was just updated

[cams@JJ129077 bsu] $. / bsu.sh-prod_dir=/home/cams/bea/middleware/wlserver_10.3/-status=applied-verbose-view

ProductName: WebLogic Server

ProductVersion: 10.3 MP6

Components: WebLogic Server/Core Application Server,WebLogic Server/Admi

Nistration Console,WebLogic Server/Configuration Wizard and

Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve

R,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC

Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S

Erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S

Erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog

Ic Server/Evaluation Database,WebLogic Server/Workshop Code

Completion Support

BEAHome: / home/cams/bea/middleware

ProductHome: / home/cams/bea/middleware/wlserver_10.3

PatchSystemDir: / home/cams/bea/middleware/utils/bsu

PatchDir: / home/cams/bea/middleware/patch_wls1036

Profile: Default

DownloadDir: / home/cams/bea/middleware/utils/bsu/cache_dir

JavaVersion: 1.6.0_29

JavaVendor: Sun

Patch ID: EJUW

PatchContainer: EJUW.jar

Checksum: 1554039558

Severity: optional

Category: General

CR/BUG: 20780171

Restart: true

Description: WLS PATCH SET UPDATE 10.3.6.0.12

WLS PATCH SET UPDATE 10.3.

6.0.12

Patch ID: ZLNA

PatchContainer: ZLNA.jar

Checksum:-894774340

Severity: optional

Category: Security

CR/BUG: 22248372

Restart: true

Description: WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 2015)

)

WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 20

15)

[cams@JJ129077 bsu] $java weblogic.version

WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015

WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015

WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050

Use 'weblogic.version-verbose' to get subsystem information

Use 'weblogic.utils.Versions' to get version information for all modules

5. Appendix (README file: Patch 20780171)

Oracle WebLogic Server Patch Set Update 10.3.6.0.12 README

This README provides information about how to apply Oracle WebLogic Server

Patch Set Update 10.3.6.0.12. It also provides information about reverting to

The original version.

Released: July, 2015

Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.12

PATCH_ID-EJUW

Patch number-20780171

Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.12

-WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis

(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.

PSU applied to a WebLogic Server installation using this recommended practice

Affect all domains and servers sharing that installation.

-Login as same "user" with which the component being patched is installed.

-Stop all WebLogic servers.

-Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches

Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.12

-unzip p20780171_1036_Generic.zip to {MW_HOME} / utils/bsu/cache_dir or any local directory

Note: You must make sure that the target directory for unzip has required write and executable permissions

For "user" with which the component being patched is installed.

-Navigate to the {MW_HOME} / utils/bsu directory.

-Execute bsu.sh-install-patch_download_dir= {MW_HOME} / utils/bsu/cache_dir-patchlist= {PATCH_ID}-prod_dir= {MW_HOME} / {WL_HOME}

Where, WL_HOME is the path of the WebLogic home

Reference: BSU Command line interface

Http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm

Post-Installation Instructions

A) Restart all WebLogic servers.

B) The following command is a simple way to determine the application of WebLogic Server PSU.

$. $WL_HOME/server/bin/setWLSEnv.sh

$java weblogic.version

In the following example output, 10.3.6.0.12 is the installed WebLogic Server PSU.

WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171

Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.12

-Stop all WebLogic Servers

-Navigate to the {MW_HOME} / utils/bsu directory.

-Execute bsu.sh-remove-patchlist= {PATCH_ID}-prod_dir= {MW_HOME} / {WL_HOME}

Post-Uninstallation Instructions

A) Restart all WebLogic Servers.

Oracle recommends that you see following key notes

-My Oracle Support NOTE: 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates)

Https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1306505.1

-My Oracle Support NOTE: 1470197.1 Master Note on WebLogic Server Patch Set Updates (PSUs)

Https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1470197.1

-My Oracle Support NOTE: 1471192.1-Replacement Patches for WebLogic Server PSU Conflict Resolution

Https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1471192.1

-SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher

Https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1607170.1

-Smart Update Applying Patches to Oracle WebLogic Server

Http://docs.oracle.com/cd/E14759_01/doc.32/e14143/intro.htm

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

After reading this article, I believe you have a certain understanding of "how Weblogic fixes the vulnerability of remote command execution in the process of Java deserialization". If you want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.