之前一篇文章记录部署web代理修复漏洞通过部署web代理来修复JAVA反序列化漏洞,这篇通过打补丁来修复这个漏洞。详见(Doc ID 2075927.1)
系统环境如下所示:
OS:Oracle Linux Server release 6.1 64bit
Weblogic:10.3.6
具体操作如下步骤所示:
1.备份备份备份
2.一切操作安装补丁README来
2.1 更新PSU
2.2 打补丁
1.备份
做好备份工作,无论是否可以回退,保证有备份
2.上传PSU
weblogic补丁上传,建议放在{MW_HOME}/utils/bsu/cache_dir目录下,保证改目录有些和执行权限
本次存放位置为/data/oracle/middleware/utils/bsu/cache_dir
[root@localhost cache_dir]# unzip p20780171_1036_Generic.zip [root@localhost cache_dir]# pwd /data/oracle/middleware/utils/bsu/cache_dir [root@localhost cache_dir]# ls EJUW.jar p20780171_1036_Generic.zip patch-catalog_22958.xml README.txt
2.1根据README操作
README内容如下所示:
Oracle WebLogic Server Patch Set Update 10.3.6.0.12 README
=========================================================
This README provides information about how to apply Oracle WebLogic Server
Patch Set Update 10.3.6.0.12. It also provides information about reverting to
the original version.
Released: July, 2015
Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.12
--------------------------------------------------------------------------
PATCH_ID - EJUW
Patch number - 20780171
Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-----------------------------------------------------------------------
- WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis
(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.
PSU applied to a WebLogic Server installation using this recommended practice
affect all domains and servers sharing that installation.
- Login as same "user" with which the component being patched is installed.
- Stop all WebLogic servers.
- Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches
Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-------------------------------------------------------------
- unzip p20780171_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory
Note: You must make sure that the target directory for unzip has required write and executable permissions
for "user" with which the component being patched is installed.
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Where, WL_HOME is the path of the WebLogic home
Reference: BSU Command line interface
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm
Post-Installation Instructions
------------------------------
a) Restart all WebLogic servers.
b) The following command is a simple way to determine the application of WebLogic Server PSU.
$ . $WL_HOME/server/bin/setWLSEnv.sh
$ java weblogic.version
In the following example output, 10.3.6.0.12 is the installed WebLogic Server PSU.
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171
Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.12
---------------------------------------------------------------
- Stop all WebLogic Servers
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Post-Uninstallation Instructions
--------------------------------
a) Restart all WebLogic Servers.
Oracle recommends that you see following key notes
--------------------------------------------------
- My Oracle Support NOTE: 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1306505.1
- My Oracle Support NOTE: 1470197.1 Master Note on WebLogic Server Patch Set Updates (PSUs)
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1470197.1
- My Oracle Support NOTE: 1471192.1 - Replacement Patches for WebLogic Server PSU Conflict Resolution
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1471192.1
- SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1607170.1
- Smart Update Applying Patches to Oracle WebLogic Server
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/intro.htm
==========================================================================
Copyright 2010, 2011, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
==========================================================================
2.2停止weblogic
[root@localhost ~]# cd /data/oracle/middleware/user_projects/domains/base_domain/bin [root@localhost bin]# ./stopWebLogic.sh Stopping Weblogic Server... Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Connecting to t3://localhost.localdomain:80 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. Shutting down the server AdminServer with force=false while connected to AdminServer ... WLST lost connection to the WebLogic Server that you were connected to, this may happen if the server was shutdown or partitioned. You will have to re-connect to the server once the server is available. Disconnected from weblogic server: AdminServer Disconnected from weblogic server: Exiting WebLogic Scripting Tool. Done Stopping Derby Server... [1]+ Done nohup ./startWebLogic.sh (wd: /data/oracle/middleware/user_projects/domains/base_domain) (wd now: /data/oracle/middleware/user_projects/domains/base_domain/bin)
2.3更新PSU
[root@localhost ~]# cd /data/oracle/middleware/utils/bsu [root@localhost bsu]# sh bsu.sh -install -patch_download_dir=/data/oracle/middleware/utils/bsu/cache_dir -patchlist=EJUW -prod_dir=/data/oracle/middleware/wlserver_10.3 Checking for conflicts... No conflict(s) detected Installing Patch ID: EJUW.. Result: Success [root@localhost bsu]#
2.4启动weblogic
[root@localhost ~]# cd /data/oracle/middleware/user_projects/domains/base_domain [root@localhost base_domain]# nohup ./startWebLogic.sh & [1] 2194 [root@localhost base_domain]# nohup: ignoring input and appending output to `nohup.out' [root@localhost base_domain]# lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 2240 root 309u IPv6 13448 0t0 TCP localhost:http (LISTEN) java 2240 root 310u IPv6 13449 0t0 TCP [fe80::20c:29ff:fecd:56eb]:http (LISTEN) java 2240 root 311u IPv6 13450 0t0 TCP localhost:http (LISTEN) java 2240 root 312u IPv6 13451 0t0 TCP 10.0.41.190:http (LISTEN
2.5验证补丁信息
[root@localhost bsu]# . /data/oracle/middleware/wlserver_10.3/server/bin/setWLSEnv.sh [root@localhost bsu]# java weblogic.version WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015 WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 Use 'weblogic.version -verbose' to get subsystem information Use 'weblogic.utils.Versions' to get version information for all modules
或者可以通过登录控制台进行验证
http://10.0.41.190/console
定向到主页 >服务器概要 >AdminServer >角色 >AdminServer
详细如下图所示
3.打补丁p22248372_1036012_Generic.zip
[root@localhost ~]# cd /data/oracle/middleware/utils/bsu/cache_dir1 [root@localhost cache_dir1]# ls p22248372_1036012_Generic.zip [root@localhost cache_dir1]# unzip p22248372_1036012_Generic.zip Archive: p22248372_1036012_Generic.zip inflating: patch-catalog_23501.xml inflating: README.txt inflating: ZLNA.jar [root@localhost cache_dir1]#
README内容如下所示:
Content: ======== This patch contains Smart Update patch ZLNA for WebLogic Server 10.3.6.0.12 Description: ============ Oracle WebLogic Sever overlay patch for 10.3.6.0.12 which requires WLS10.3.6.0.12 PSU (Patch Number: 20780171 , Patch ID :EJUW) in the environment Patch Installation Instructions: ================================ - copy content of this zip file with the exception of README file to your SmartUpdate cache directory (MW_HOME/utils/bsu/cache_dir by default) - apply patch using Smart Update utility
3.1使用Smart Update utility打补丁
[root@localhost bsu]# pwd /data/oracle/middleware/utils/bsu [root@localhost bsu]# ls bsu.jar bsu.sh cache_dir cache_dir1 patch-client.jar smartupdate.ico [root@localhost bsu]# ./bsu.sh
界面如图所示
如果在运行的时候出现Exception in thread "main" java.lang.OutOfMemoryError
可以修改bsu.sh中的参数
调整MEM_ARGS="-Xms256m -Xmx512m"中使用的内存大小即可。参考mos(Doc ID 1154089.1)
修改补丁所在目录,在file中点击preference,如下图所示,完成之后点击save
点击Patchs选项下的Refresh View选项,更新之后如下图所示
点击APPLY下的绿色按钮即可进行补丁的应用
检测冲突,如图所示
完成之后点击OK,即可进行补丁的应用
完成之后,如图所示
到此补丁就算成功应用了。
重启后登陆console查看补丁的应用情况,如图所示:
在启动日志也会看到以下的信息
测试工具如附件中所示WebLogic_EXP.jar
参考链接
https://community.oracle.com/thread/3871825