Weblogic修復"Java反序列化"過程遠端命令執行漏洞
1.查詢文件說明,在上找到補丁的說明文件如下:
4.檢視剛更新的補丁資訊
5.附錄(README檔案:Patch 20780171)
CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware (Doc ID 2075927.1)
APPLIES TO:
Oracle WebLogic Server - Version 10.3.6 to 12.2.1.0.0
Oracle Fusion Middleware
Oracle WebLogic Server - Version 10.3 to 10.3
Information in this document applies to any platform.
This applies to any product deployment using Oracle WebLogic Server
PURPOSE
This document defines minimum releases and patches for the Oracle WebLogic Server component of Oracle Fusion Middleware to address the vulnerability described in the Oracle Security Alert for CVE-2015-4852: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
DETAILS
It is important to read the Oracle Security Alert before reading this document. The table below defines minimum releases and patches for Oracle WebLogic Server.
See also Note 2076338.1 CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware
n January 2016 CPU Update:
Beginning January 2016, CVE-2015-4852 fixes are now included in the below Patch Set Update (PSU) releases and higher:
12.2.1.0.1
12.1.3.0.6
12.1.2.0.8
10.3.6.0.13
n To obtain the latest cumulative PSU, refer to the Critical Patch Update program at http://www.oracle.com/technetwork/topics/security/alerts-086861.html . Review the latest Advisory and click the "Fusion Middleware" link within to obtain the latest cumulative Patch Availability Document.
n Important: If you have a version older than 10.3.6 or 12.1.2, you must upgrade as per the Error Correction Policy: Note 950131.1, "Error Correction Support Dates for Oracle WebLogic Server".
n The initial patching requirements from November 2015 are listed below with patch links for all versions under error correction support:
|
WLS Release
|
Required Patches
|
| 12.2.1.0 | for CVE-2015-4852 |
| 12.1.3.0 | PSU 12.1.3.0.5 () + Patch 22248372 for CVE-2015-4852 |
| 12.1.2.0 | PSU 12.1.2.0.7 () + for CVE-2015-4852 |
| 10.3.6.0 | PSU 10.3.6.0.12 (), Smart Update Patch ID: EJUW) + for CVE-2015-4852 |
l Patches are not password protected for versions listed above. Older versions are now expired.
l Due to issues with linking to the standard My Oracle Support patch download page, the above links go to an alternative updates.oracle.com location. If you have firewall rules on your network, you should adjust accordingly for the links to work.
l You may also access these patches by going to the "Patches and Updates" tab, perform a search on the above numbers and select your version.
REFERENCES
NOTE:2076338.1 - CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware
NOTE:1074055.1 - Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
2.下載補丁,透過原文Required Patches處的連結下載補丁包。我所使用的版本為10.3.6.0,所以需要下載的補丁包為PSU 10.3.6.0.12 (Patch 20780171) + 10.3.6.0.12 Patch 22248372 for CVE-2015-4852
3.執行打補丁操作(注意:不同的環境和本文的路徑會有所不同)
-
[cams@JJ129077 dateFiles]$ cd /home/cams/bea/middleware/wlserver_10.3/server/bin/
-
[cams@JJ129077 bin]$ ls
-
international setWLSEnv.sh startNodeManager.sh
-
[cams@JJ129077 bin]$ . ./setWLSEnv.sh
-
CLASSPATH=/home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/cams/bea/middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/usr/java/jdk1.6.0_45/lib/tools.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic.jar:/home/cams/bea/middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/webservices.jar:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/cams/bea/middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:.:/usr/java/jdk1.6.0_45/lib/dt.jar:/usr/java/jdk1.6.0_45/lib/tools.jar
-
-
PATH=/home/cams/bea/middleware/wlserver_10.3/server/bin:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/bin:/usr/java/jdk1.6.0_45/jre/bin:/usr/java/jdk1.6.0_45/bin:/usr/java/jdk1.6.0_45/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin::/home/cams/bin
-
-
Your environment has been set.
-
[cams@JJ129077 bin]$ java weblogic.version
-
-
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
-
-
Use 'weblogic.version -verbose' to get subsystem information
-
-
Use 'weblogic.utils.Versions' to get version information for all modules
-
-
-
[cams@JJ129077 zip]$ cd /home/cams/bea/middleware/utils/bsu
-
[cams@JJ129077 bsu]$ ./bsu.sh -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -status=applied -verbose -view
-
ProductName: WebLogic Server
-
ProductVersion: 10.3 MP6
-
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
-
nistration Console,WebLogic Server/Configuration Wizard and
-
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
-
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
-
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
-
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
-
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
-
ic Server/Evaluation Database,WebLogic Server/Workshop Code
-
Completion Support
-
BEAHome: /home/cams/bea/middleware
-
ProductHome: /home/cams/bea/middleware/wlserver_10.3
-
PatchSystemDir: /home/cams/bea/middleware/utils/bsu
-
PatchDir: /home/cams/bea/middleware/patch_wls1036
-
Profile: Default
-
DownloadDir: /home/cams/bea/middleware/utils/bsu/cache_dir
-
JavaVersion: 1.6.0_29
-
JavaVendor: Sun
-
-
上傳p20780171_1036_Generic.zip和p22248372_1036012_Generic.zip至DownloadDir:/home/cams/bea/middleware/utils/bsu/cache_dir路徑下,並解壓
-
[cams@JJ129077 cache_dir]$ unzip p20780171_1036_Generic.zip
-
Archive: p20780171_1036_Generic.zip
-
extracting: EJUW.jar
-
inflating: patch-catalog_22958.xml
-
inflating: README.txt
-
[cams@JJ129077 cache_dir]$ unzip p22248372_1036012_Generic.zip
-
Archive: p22248372_1036012_Generic.zip
-
inflating: patch-catalog_23501.xml
-
replace README.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
-
new name: README1.txt
-
inflating: README1.txt
-
inflating: ZLNA.jar
-
-
如果不知道如何打補丁,可以參考p20780171_1036_Generic.zip中的README檔案,README的內容附在文末。 (打補丁之前先把Weblogic停了,最簡單的就是殺程式)
-
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=EJUW -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
-
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
-
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:448)
-
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:464)
-
at com.bea.plateng.patch.dao.cat.PatchCatalog.getPatchDependencies(PatchCatalog.java:56)
-
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getInvalidatedPatchMap(PatchCatalogHelper.java:1621)
-
at com.bea.plateng.patch.PatchSystem.updatePatchCatalog(PatchSystem.java:436)
-
at com.bea.plateng.patch.PatchSystem.refresh(PatchSystem.java:130)
-
at com.bea.plateng.patch.PatchSystem.setCacheDir(PatchSystem.java:201)
-
at com.bea.plateng.patch.Patch.main(Patch.java:281)
-
[cams@JJ129077 bsu]$ ls
-
bsu.jar bsu.sh cache_dir patch-client.jar smartupdate.ico
-
[cams@JJ129077 bsu]$ vi bsu.sh
-
[cams@JJ129077 bsu]$ cat bsu.sh
-
#!/bin/sh
-
-
JAVA_HOME="/usr/java/jdk1.6.0_45"
-
-
MEM_ARGS="-Xms2560m -Xmx5120m"
-
-
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
-
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=EJUW -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
-
檢查衝突....
-
未檢測到衝突
-
-
開始安裝補丁程式 ID: EJUW
-
安裝 /home/cams/bea/middleware/utils/bsu/cache_dir/EJUW.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/BUG20780171_1036012.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxp_1.4.5.0.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
-
更新 /home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
-
舊清單值: Class-Path=
-
新清單值: Class-Path=../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-io-2.4.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war
-
解壓縮 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.stax2_2.0.0.0_3-0-3.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar
-
解壓縮 /home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/bugsfixed/20780171-WLS-10.3.6.0.12_PSU_WebServices-ClientSide-Configuration-README.txt
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/bugsfixed/WLS-PSU-bugsfixed.txt
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
備份 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war
-
解壓縮 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp
-
合併 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp 與 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp
-
更新 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp 到 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp
-
更新 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp 到 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar
-
解壓縮 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp
-
合併 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp 與 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp
-
更新 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp 到 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar
-
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp
-
合併 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar
-
結果: 成功
-
-
[cams@JJ129077 bsu]$
-
-
-
-
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=ZLNA -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
-
檢查衝突....
-
未檢測到衝突
-
-
開始安裝補丁程式 ID: ZLNA
-
安裝 /home/cams/bea/middleware/utils/bsu/cache_dir/ZLNA.jar
-
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/BUG22248372_1036.jar
-
更新 /home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
-
舊清單值: Class-Path=../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
-
新清單值: Class-Path=../../../patch_jars/BUG22248372_1036.jar ../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
-
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
-
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp
-
合併 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar
- 結果: 成功
4.檢視剛更新的補丁資訊
-
[cams@JJ129077 bsu]$ ./bsu.sh -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -status=applied -verbose -view
-
ProductName: WebLogic Server
-
ProductVersion: 10.3 MP6
-
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
-
nistration Console,WebLogic Server/Configuration Wizard and
-
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
-
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
-
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
-
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
-
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
-
ic Server/Evaluation Database,WebLogic Server/Workshop Code
-
Completion Support
-
BEAHome: /home/cams/bea/middleware
-
ProductHome: /home/cams/bea/middleware/wlserver_10.3
-
PatchSystemDir: /home/cams/bea/middleware/utils/bsu
-
PatchDir: /home/cams/bea/middleware/patch_wls1036
-
Profile: Default
-
DownloadDir: /home/cams/bea/middleware/utils/bsu/cache_dir
-
JavaVersion: 1.6.0_29
-
JavaVendor: Sun
-
-
-
Patch ID: EJUW
-
PatchContainer: EJUW.jar
-
Checksum: 1554039558
-
Severity: optional
-
Category: General
-
CR/BUG: 20780171
-
Restart: true
-
Description: WLS PATCH SET UPDATE 10.3.6.0.12
-
WLS PATCH SET UPDATE 10.3.
-
6.0.12
-
-
Patch ID: ZLNA
-
PatchContainer: ZLNA.jar
-
Checksum: -894774340
-
Severity: optional
-
Category: Security
-
CR/BUG: 22248372
-
Restart: true
-
Description: WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 2015
-
)
-
WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 20
-
15)
-
-
-
[cams@JJ129077 bsu]$ java weblogic.version
-
-
WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015
-
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015
-
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
-
-
Use 'weblogic.version -verbose' to get subsystem information
-
- Use 'weblogic.utils.Versions' to get version information for all modules
5.附錄(README檔案:Patch 20780171)
-
Oracle WebLogic Server Patch Set Update 10.3.6.0.12 README
-
=========================================================
-
-
This README provides information about how to apply Oracle WebLogic Server
-
Patch Set Update 10.3.6.0.12. It also provides information about reverting to
-
the original version.
-
-
Released: July, 2015
-
-
-
Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-
--------------------------------------------------------------------------
-
-
PATCH_ID - EJUW
-
Patch number - 20780171
-
-
-
Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-
-----------------------------------------------------------------------
-
-
- WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis
-
(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.
-
PSU applied to a WebLogic Server installation using this recommended practice
-
affect all domains and servers sharing that installation.
-
- Login as same "user" with which the component being patched is installed.
-
- Stop all WebLogic servers.
-
- Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches
-
-
-
Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-
-------------------------------------------------------------
-
-
- unzip p20780171_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory
-
-
Note: You must make sure that the target directory for unzip has required write and executable permissions
-
for "user" with which the component being patched is installed.
-
-
- Navigate to the {MW_HOME}/utils/bsu directory.
-
- Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
-
-
Where, WL_HOME is the path of the WebLogic home
-
-
Reference: BSU Command line interface
-
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm
-
-
-
Post-Installation Instructions
-
------------------------------
-
-
a) Restart all WebLogic servers.
-
-
b) The following command is a simple way to determine the application of WebLogic Server PSU.
-
-
$ . $WL_HOME/server/bin/setWLSEnv.sh
-
$ java weblogic.version
-
-
In the following example output, 10.3.6.0.12 is the installed WebLogic Server PSU.
-
-
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171
-
-
-
Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-
---------------------------------------------------------------
-
-
- Stop all WebLogic Servers
-
- Navigate to the {MW_HOME}/utils/bsu directory.
-
- Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
-
-
-
Post-Uninstallation Instructions
-
--------------------------------
-
-
a) Restart all WebLogic Servers.
-
-
-
Oracle recommends that you see following key notes
-
--------------------------------------------------
-
-
- My Oracle Support NOTE: 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
-
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1306505.1
-
-
- My Oracle Support NOTE: 1470197.1 Master Note on WebLogic Server Patch Set Updates (PSUs)
-
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1470197.1
-
-
- My Oracle Support NOTE: 1471192.1 - Replacement Patches for WebLogic Server PSU Conflict Resolution
-
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1471192.1
-
-
- SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher
-
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1607170.1
-
-
- Smart Update Applying Patches to Oracle WebLogic Server
-
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/intro.htm
-
-
-
==========================================================================
-
Copyright ?2010, 2011, Oracle and/or its affiliates. All rights reserved.
-
-
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
-
-
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
-
-
If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
-
-
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
-
-
This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.
-
-
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
-
-
This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
- ==========================================================================
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31394774/viewspace-2142526/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- PHPMailer遠端命令執行漏洞復現PHPAI
- Weblogic遠端程式碼執行漏洞(CVE-2020-14750)修復方案Web
- Apache SSI 遠端命令執行漏洞Apache
- Fastjson反序列化遠端程式碼執行漏洞產生原因及修復建議ASTJSON
- 修復weblogic的JAVA反序列化漏洞的多種方法WebJava
- ThinkPHP 5.x 遠端命令執行漏洞分析與復現PHP
- CVE-2017-8464 遠端命令執行漏洞復現
- CVE-2017-8464遠端命令執行漏洞復現
- Oracle WebLogic 曝 0day 漏洞,攻擊者可遠端執行命令OracleWeb
- 高危漏洞!Apache Log4j 遠端程式碼執行漏洞(附修復建議)Apache
- Chrome 77釋出,修復遠端程式碼執行漏洞!請儘快更新!Chrome
- VxWorks釋出安全更新修復多個高危遠端程式碼執行漏洞
- 遠端執行命令
- Firefox 31~34遠端命令執行漏洞的分析Firefox
- weblogic許可權繞過/遠端命令執行漏洞復現(CVE-2020-14482、CVE-2020-14883)Web
- weblogic T3 漏洞修復Web
- 【安全公告】Spring Core遠端命令執行漏洞預警Spring
- 執行遠端DBMS_LOB包中過程
- ThinkPHP遠端程式碼執行漏洞PHP
- phpunit 遠端程式碼執行漏洞PHP
- 核彈級漏洞——Apache Log4j 2 遠端程式碼執行漏洞事件詳情及修復方式Apache事件
- WebLogic 任意檔案上傳遠端程式碼執行_CVE-2018-2894漏洞復現Web
- WebLogic之Java反序列化漏洞利用實現二進位制檔案上傳和命令執行WebJava
- Joomla遠端程式碼執行漏洞分析OOM
- OpenWRT 曝遠端程式碼執行漏洞
- 怎麼修復網站漏洞之metinfo遠端SQL隱碼攻擊漏洞修補網站SQL
- CNVD-2018-01084 漏洞復現報告(service.cgi 遠端命令執行漏洞)
- Apache log4j2 遠端程式碼執行漏洞復現?Apache
- phpcms網站漏洞修復遠端程式碼寫入快取漏洞利用PHP網站快取
- 最新漏洞:Spring Framework遠端程式碼執行漏洞SpringFramework
- RCE(遠端程式碼執行漏洞)原理及漏洞利用
- GitLab存在嚴重漏洞,允許透過Github匯入實現遠端命令執行GitlabGithub
- CVE-2018-1273 Spring Data Commons 遠端命令執行漏洞復現Spring
- 走近原始碼:Redis命令執行過程(客戶端)原始碼Redis客戶端
- 關於fastjson出現反序列化遠端程式碼執行漏洞的通知ASTJSON
- Go實現ssh執行遠端命令及遠端終端Go
- CODESYS V3遠端堆溢位漏洞復現(環境配置+復現過程)
- 什麼是遠端程式碼執行漏洞?