WEBLOGIC 11G (10.3.6) Windows PSU upgrade 10.3.6.0.171017 (Java deserialization vulnerability escalation)

Source: Internet
Author: User
Tags i18n sca xml xpath cve xquery

10.3.6 version of WebLogic requires patches to 10.3.6.0.171017 (October 2017 patch, Java deserialization vulnerability upgrade), Oracle official recommends at least October 2017 patch; 10.3.6 The following versions need to be upgraded to 10.3.6 and then in the patch upgrade.

First, view version

1. Use the following command to re-match environment variables
D:\Oracle\Middleware\wlserver_10.3\server\bin
Setwlsenv.cmd

1.1. View WebLogic Version

D:\oracle\middleware\utils\bsu>java weblogic.version

WebLogic Server temporary Patch for BUG22248372 Tue Nov 00:35:04 MST 2015
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU June 15:54:42 IST 2015
WebLogic Server 10.3.6.0 Tue Nov 08:52:36 PST 2011 1441050

Use ' weblogic.version-verbose ' to get subsystem information

Use ' weblogic.utils.Versions ' to get version information for all modules

D:\Oracle\Middleware\utils\bsu

C:\Program Files (x86) \java\jdk1.6.0_43

1.2. WebLogic Version Details
D:\oracle\middleware\utils\bsu>java Weblogic.version-verbose

WebLogic Server temporary Patch for BUG22248372 Tue Nov 00:35:04 MST implversion:10.3.6.0
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU June 15:54:42 IST implversion:10.3.6.0
WebLogic Server 10.3.6.0 Tue Nov 08:52:36 PST 1441050 implversion:10.3.6.0
Oracle WebLogic Server Module Dependencies 10.3 Thu Sep 17:47:37 EDT implversion:10.3.6.0
Oracle WebLogic Server on JRockit Virtual Edition Module Dependencies 10.3 Wed June 17:54:24 EDT implversion:10.3. 6.0
Oracle Virtual Machine Manager Client Implementation implversion:1.1.0.0
WebLogic descriptors for EE 1.6 Wed Dec 1 17:14:50 EST implversion:1.6.0.0
WebLogic descriptors for EE 1.6 Binding Bundle implversion:1.6.0.0
WebLogic specific descriptors 1.4 Mon 8 09:26:15 MDT implversion:1.4.0.0
WebLogic specific descriptors 1.4 Binding Bundle implversion:1.4.0.0
WebLogic Datasource 1.10 Sat Nov 08:11:09 PST implversion:1.10.0.0
WebLogic Datasource 1.10 Binding Bundle implversion:1.10.0.0
WebLogic Beangen Client capable 1.7 Wed Feb 16:02:48 PST implversion:1.7.0.0
WebLogic Beangen 1.7 Binding Bundle implversion:1.7.0.0
WebLogic Management Core Interfaces Client capable 2.9 Thu-17:17:14 PDT implversion:2.9.0.1
WebLogic Management Core Interfaces 2.9 Binding Bundle implversion:2.9.0.1
WebLogic Ejbgen Client capable 1.1 Tue Nov 2 03:30:53 PDT implversion:1.1.0.3
WebLogic STAX Client capable 1.10 Wed June 8 09:12:28 EDT implversion:1.10.0.0
WebLogic Utils Client capable 1.10 Sat Oct 15:34:23 MDT implversion:1.10.0.0
WebLogic SAAJ 1.8 Mon Oct 02:49:29 PDT implversion:1.8.0.0
WebLogic Apache Classes Client capable 1.3 Mon Sep 23:58:26 EDT implversion:1.3.0.1
WebLogic BeanInfo Caching and Discovery Client capable 2.4 Sat Oct 20:46:29 PDT implversion:2.4.0.0
WebLogic Descriptor Client capable 1.10 Wed 12:59:06 PDT implversion:1.10.0.0
Oracle JFR 1.0 Thu Feb 19:06:33 PST implversion:1.0.0.0
WebLogic Diagnostics Core Interfaces Client capable 2.6 Thu Oct 6 01:11:08 EDT implversion:2.6.0.0
WebLogic Diagnostics Logging Client capable 1.2 Fri Dec 11:37:59 MST implversion:1.2.0.0
WebLogic Diagnostics Query Module Client capable 1.3 Fri Jul 1 07:32:00 PDT implversion:1.3.0.0
WebLogic Diagnostics Instrumentor Tool 1.8 Thu Oct 6 01:11:08 EDT implversion:1.8.0.0
WebLogic Diagnostics Instrumentor Config Tool 1.8 Thu Oct 6 01:11:08 EDT implversion:1.8.0.0
WebLogic Diagnostics JRockit Flight Recorder Interfaces Client capable 1.2 Wed Dec 1 17:41:28 EST implversion:1.2.0. 0
WebLogic i18n Runtime Support Client capable 1.9 Thu Sep 1 07:41:47 PDT implversion:1.9.0.0
WebLogic i18n Build support Client capable 1.5 Fri Feb 15:03:15 EST implversion:1.5.0.0
WebLogic i18n Tools Client capable 1.4 Thu Sep 1 07:41:47 PDT implversion:1.4.0.0
WebLogic Management JMX Interfaces 1.4 Fri Sep 16:19:28 EDT implversion:1.4.2.0
WebLogic Security Provider Generation Tool 1.5 Wed Oct 16:39:28 MDT implversion:1.5.0.0
WebLogic Security Provider Generation Tool Client capable 1.5 Wed Oct + 16:39:28 MDT implversion:1.5.0.0
WebLogic Messaging Kernel Client capable 1.8 Mon-21:42:11 EDT implversion:1.8.0.0
WebLogic Resource Pool Client capable 1.8 Thu Oct 6 16:06:35 PDT implversion:1.8.0.0
WebLogic Socket muxer API Client capable 1.3 Thu in 16:24:35 EDT implversion:1.3.0.0
WebLogic RMI Client capable 1.11 Tue Sep 15:07:37 EDT implversion:1.11.0.0
WebLogic Store Client capable 1.8 Mon Oct 3 09:57:28 PDT implversion:1.8.0.0
WebLogic STORE GXA Client capable 1.7 Fri APR 1 14:30:50 PDT implversion:1.7.0.0
WebLogic Store Admin Tool Client capable 1.3 Thu April 09:32:45 PDT implversion:1.3.0.0
WebLogic JDBC Store Client capable 1.3 Fri Sep 08:41:14 MDT implversion:1.3.1.0
WebLogic JTA Implementation Client capable 2.7 Sat Oct 07:12:58 PDT implversion:2.7.1.0
WebLogic Utils 1.10 Sat Oct 15:34:23 MDT implversion:1.10.0.0
WebLogic Utility Classloader implementations Client capable 2.0 Wed may 10:00:41 PDT implversion:2.0.0.0
WebLogic Java compiler Utils package Client capable 1.2 Thu Feb 03:38:50 EST implversion:1.2.0.0
WebLogic Utils for working with Expressions Client capable 1.4 Tue Sep 14:45:53 EDT implversion:1.4.0.0
WebLogic Utils for dynamically Generated Class Wrappers Client capable 1.4 Fri Feb 14:44:23 MST implversion:1.4.0 .0
WebLogic Timers Client capable 1.7 Fri Feb 4 14:23:26 MST implversion:1.7.1.0
WebLogic work Manager Client capable 1.11 Thu Oct 6 11:12:55 PDT implversion:1.11.0.0
WebLogic Workarea Client capable 1.8 Tue June (04:08:48 EDT) implversion:1.8.0.0
WebLogic XML XPath Implementation Client capable 1.5 Thu SEP 1 22:11:12 EDT implversion:1.5.0.0
WebLogic Security 1.0 Fri 08:44:53 MDT implversion:6.2.0.0
WebLogic Security SSL Classes 1.0 Tue June 17:39:53 EDT implversion:1.0.0.0
WebLogic NodeManager Plugin Client capable 1.3 Tue Nov 18:23:10 EST implversion:1.3.0.0
WebLogic JMS Pool Client capable 1.9 Wed April 13:03:26 EDT implversion:1.9.0.0
WebLogic Http pub/sub Module Client capable 1.7 Fri Jul 8 13:06:46 EDT implversion:1.7.0.0
WebLogic WebApp Container public API Client capable 1.4 Fri Oct 1 20:01:15 PDT implversion:1.4.0.0
WebLogic Coherence Descriptor 1.2 Thu Sep 1 08:29:31 PDT implversion:1.2.0.0
WebLogic Coherence Descriptor 1.2 Binding Bundle implversion:1.2.0.0
WebLogic WebService Public API ' s 1.1 Tue Sep 22:15:05 EDT implversion:1.1.0.0
WebLogic Eclipselink Integration 1.0 Thu Feb 14:56:43 PST implversion:1.0.0.0
WebLogic SCA Client 1.0 Thu Feb 00:27:10 EST implversion:1.0.0.0
WebLogic RAC Module UCP Client capable 1.1 Thu Oct 6 16:06:35 PDT implversion:1.1.0.0
Oracle Universal Connection Pool implversion:11.2.0.3.0

SERVICE NAME VERSION Information
============ ===================
Kernel Commonj WorkManager v1.1
Timerservice Commonj Timermanager v1.1
Corbaservice CORBA 2.3, IIOP 1.2, Rmi-iiop SFV2, OTS 1.2, CSIv2 level 0 + Stateful
Xmlservice XML 1.1
Transaction Service JTA 1.1
Jdbcservice JSR-221, JDBC 4.0
Customresourceserverservice 1.0.0.0
Servlet Container servlet 2.5, JSP 2.1
WebServices JSR-173, Jax-RPC, JSR-109, WSDL, ws-addressing, Ws-policy, Jax-b, Jax-r, UDDI, Ws-management (HP), JAXP-1.3, WS -security
Transaction Stop Service JTA 1.1
Pre Admin Singleton Services S 1.0
Singleton Services Batch Manag 1.0
Post Admin Singleton Services 1.0
EJB Container EJB 3.0
Mdbservice EJB 3.0
Ejbtimerservice EJB 3.0
Java Connector 1.5
JMS Service JMS 1.1


D:\oracle\middleware\utils\bsu>


1.3. WebLogic Version Details
D:\oracle\middleware\utils\bsu>bsu.cmd-prod_dir=d:\oracle\middleware\wlserver_10.3-status=applied-verbose- View

The error message is as follows:
D:\oracle\middleware\utils\bsu>bsu.cmd-prod_dir=d:\oracle\middleware\wlserver_10.3-status=applied-verbose- View
Exception in Thread "Thread-0" Exception in Thread "Main thread" java.lang.OutOfMemoryError
Java.lang.noclassdeffounderror:com/bea/plateng/patch/patchsystem
At Com.bea.plateng.patch.PatchClientHelper.getAllPatchDetails (patchclienthelper.java:74)
At Com.bea.plateng.patch.PatchInstallationHelper.cleanupPatchSets (patchinstallationhelper.java:130)
At Com.bea.plateng.patch.patchtarget.<init> (patchtarget.java:272)
At Com.bea.plateng.patch.PatchTargetFactory.create (patchtargetfactory.java:30)
At Com.bea.plateng.patch.PatchTargetHelper.getPatchTargets (patchtargethelper.java:204)
At Com.bea.plateng.patch.PatchTargetHelper.updatePatchTargets (patchtargethelper.java:119)
At Com.bea.plateng.patch.PatchTargetHelper.getAllPatchTargets (patchtargethelper.java:74)
At Com.bea.plateng.patch.PatchTargetHelper.getPatchTarget (patchtargethelper.java:247)
At Com.bea.plateng.patch.Patch.getPatchTarget (patch.java:432)
At Com.bea.plateng.patch.Patch.getPatchTarget (patch.java:416)
At Com.bea.plateng.patch.Patch.main (patch.java:251)

environment variable No problem: Modify Bsu.cmd Run memory
=======================================================
@ECHO OFF
SETLOCAL

SET java_home=d:\oracle\middleware\jrockit_160_29_d1.2.0-10
For%%i in ("%java_home%") do SET JAVA_HOME=%%~FSI

SET java=%1
IF DEFINED JAVA (
SET Java=java
) ELSE (
SET JAVA=JAVAW
)

Set mem_args=-xms512m-xmx1024m--modified result

"%java_home%\bin\%java%"%mem_args%-jar Patch-client.jar%*

Endlocal
=========================================================
The normal display is as follows:

D:\oracle\middleware\utils\bsu>bsu.cmd-prod_dir=d:\oracle\middleware\wlserver_10.3-status=applied-verbose- View
Productname:weblogic Server
productversion:10.3 MP6
Components:weblogic server/core Application Server,weblogic SERVER/ADMI
Nistration console,weblogic server/configuration Wizard and
Upgrade framework,weblogic server/web 2.0 HTTP pub-sub Serve
R,weblogic server/weblogic sca,weblogic server/weblogic JDBC
Drivers,weblogic Server/third Party JDBC drivers,weblogic S
Erver/weblogic Server clients,weblogic server/weblogic Web S
Erver plugins,weblogic Server/uddi and Xquery Support,weblog
IC server/evaluation database,weblogic server/workshop Code
Completion support
Beahome:d:\oracle\middleware
producthome:d:\oracle\middleware\wlserver_10.3
Patchsystemdir:d:\oracle\middleware\utils\bsu
patchdir:d:\oracle\middleware\patch_wls1036
Profile:default
Downloaddir:d:\oracle\middleware\utils\bsu\cache_dir
Javahome:d:\oracle\middleware\jdk160_29
Javaversion:1.6.0_29
Javavendor:sun


Patch Id:ejuw
PatchContainer:EJUW.jar
checksum:1554039558
Severity:optional
Category:general
cr/bug:20780171
Restart:true
Description:wls PATCH SET UPDATE 10.3.6.0.12
WLS PATCH SET UPDATE 10.3.6.0.12

Patch Id:zlna
PatchContainer:ZLNA.jar
Checksum:-894774340
Severity:optional
Category:security
cr/bug:22248372
Restart:true
Description:weblogic SERVER cve-2015-4852 SECURITY ALERT PATCH (NOV 2015
)
WEBLOGIC SERVER cve-2015-4852 SECURITY ALERT PATCH (NOV 20
15)

Second, hit the patch
Uninstall the patch that was previously hit ...
====================================================
Unloading:
D:\oracle\middleware\utils\bsu>bsu.cmd-install-patch_download_dir=d:\oracle\middleware\utils\bsu\cache_dir- patchlist=fmjj-prod_dir=d:\oracle\middleware\wlserver_10.3
Check for conflicts ....
Conflict detected-resolve conflict situation and re-execute patch installation
The following are details of the conflict situation:
Patch FMJJ and the following patches are mutually exclusive and cannot coexist: Ejuw,zlna
Terminate the batch operation (y/n)? Y

D:\oracle\middleware\utils\bsu>

-Stop All WebLogic Servers
-Navigate to the {MW_HOME}/UTILS/BSU directory.
-Execute bsu.sh-remove-patchlist={patch_id}-prod_dir={mw_home}/{wl_home}

d:\oracle\middleware\utils\bsu>bsu.cmd-remove-patchlist=zlna-prod_dir=d:\oracle\middleware\wlserver_10.3
d:\oracle\middleware\utils\bsu>bsu.cmd-remove-patchlist=ejuw-prod_dir=d:\oracle\middleware\wlserver_10.3
Check for conflicts .....
Conflict detected-resolve conflict situation and re-execute patch removal process
The following are details of the conflict situation:
The following patches must be removed before the selected patches can be removed: Zlna

D:\oracle\middleware\utils\bsu>
D:\oracle\middleware\utils\bsu>
D:\oracle\middleware\utils\bsu>
D:\oracle\middleware\utils\bsu>
D:\oracle\middleware\utils\bsu>
d:\oracle\middleware\utils\bsu>bsu.cmd-remove-patchlist=zlna-prod_dir=d:\oracle\middleware\wlserver_10.3
Check for conflicts .....
No conflict detected

Remove Patch Id:zlna:
Result: Success

D:\oracle\middleware\utils\bsu>
d:\oracle\middleware\utils\bsu>bsu.cmd-remove-patchlist=ejuw-prod_dir=d:\oracle\middleware\wlserver_10.3
Check for conflicts .....
No conflict detected

Remove Patch Id:ejuw:
Result: Success


Post-uninstallation Instructions
--------------------------------
A) Restart all WebLogic Servers.
====================================================

1, unzip the patch package zip file, get two files A. jar one. xml copies this two files to the WebLogic directory under Utils/bsu/cache_dir If no cache_dir is created by itself. Of course, this directory can also be designated by itself.

Unzip P26519424_1036_generic.zip to {Mw_home}/utils/bsu/cache_dir

2. Apply Patches
D:\oracle\middleware\utils\bsu>bsu.cmd-install-patch_download_dir=d:\oracle\middleware\utils\bsu\cache_dir- patchlist=fmjj-prod_dir=d:\oracle\middleware\wlserver_10.3

Description
-patch_download_dir is the directory where the two files are located in the previous step
-prod_dir WebLogic's Home directory
-patchlist Patch ID number, which is the file name of the. jar file in the patch pack.


======================================

Long wait and then hint ....

======================================

D:\oracle\middleware\utils\bsu>bsu.cmd-install-patch_download_dir=d:\oracle\middleware\utils\bsu\cache_dir- patchlist=fmjj-prod_dir=d:\oracle\middleware\wlserver_10.3
Check for conflicts ...
No conflict detected

Installing Patch ID:FMJJ:
Result: Success

D:\oracle\middleware\utils\bsu>

Third, verification

A) Restart all WebLogic servers.
b) The following command is a simple-to determine the application of the WebLogic Server PSU.

D:\oracle\middleware\wlserver_10.3\server\bin>setwlsenv.cmd

D:\oracle\middleware\utils\bsu>bsu.cmd-prod_dir=d:\oracle\middleware\wlserver_10.3-status=applied-verbose- View
Productname:weblogic Server
productversion:10.3 MP6
Components:weblogic server/core Application Server,weblogic SERVER/ADMI
Nistration console,weblogic server/configuration Wizard and
Upgrade framework,weblogic server/web 2.0 HTTP pub-sub Serve
R,weblogic server/weblogic sca,weblogic server/weblogic JDBC
Drivers,weblogic Server/third Party JDBC drivers,weblogic S
Erver/weblogic Server clients,weblogic server/weblogic Web S
Erver plugins,weblogic Server/uddi and Xquery Support,weblog
IC server/evaluation database,weblogic server/workshop Code
Completion support
Beahome:d:\oracle\middleware
producthome:d:\oracle\middleware\wlserver_10.3
Patchsystemdir:d:\oracle\middleware\utils\bsu
patchdir:d:\oracle\middleware\patch_wls1036
Profile:default
Downloaddir:d:\oracle\middleware\utils\bsu\cache_dir
Javahome:d:\oracle\middleware\jdk160_29
Javaversion:1.6.0_29
Javavendor:sun


Patch ID:FMJJ
PatchContainer:FMJJ.jar
checksum:591477727
Severity:optional
Category:general
cr/bug:26519424
Restart:true
description:wls Patch Set update 10.3.6.0.171017 WLS patch set Update 10.3.6.0.171017


Java weblogic.version

The following example output, 10.3.6.0.171017 is the installed WebLogic Server PSU.

WebLogic Server 10.3.6.0.171017 PSU Patch for BUG26519424



When you start WebLogic, you can see that a new patch is loaded in the standard output:
<2015-10-26 02:43 P.M. 41 sec cst> <Info> <Management> <BEA-141107> <version:weblogic Server 10.3.6.0.12 PSU P
Atch for BUG20780171 THU June 15:54:42 IST 2015

WEBLOGIC 11G (10.3.6) Windows PSU upgrade 10.3.6.0.171017 (Java deserialization vulnerability escalation)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.