Weblogic如何修復"Java反序列化"過程遠程命令執(zhí)行漏洞

發(fā)布時間：2022-01-15 10:42:58 來源：億速云閱讀：148 作者：小新欄目：大數(shù)據(jù)

小編給大家分享一下Weblogic如何修復"Java反序列化"過程遠程命令執(zhí)行漏洞，希望大家閱讀完這篇文章之后都有所收獲，下面讓我們一起去探討吧！

1.查找文檔說明，在https://support.oracle.com上找到補丁的說明文檔如下：

CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware (Doc ID 2075927.1)

APPLIES TO:

Oracle WebLogic Server - Version 10.3.6 to 12.2.1.0.0
Oracle Fusion Middleware
Oracle WebLogic Server - Version 10.3 to 10.3
Information in this document applies to any platform.
This applies to any product deployment using Oracle WebLogic Server

PURPOSE

This document defines minimum releases and patches for the Oracle WebLogic Server component of Oracle Fusion Middleware to address the vulnerability described in the Oracle Security Alert for CVE-2015-4852: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

DETAILS

It is important to read the Oracle Security Alert before reading this document. The table below defines minimum releases and patches for Oracle WebLogic Server.

See also Note 2076338.1 CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware

n January 2016 CPU Update:

Beginning January 2016, CVE-2015-4852 fixes are now included in the below Patch Set Update (PSU) releases and higher:

12.2.1.0.1

12.1.3.0.6

12.1.2.0.8

10.3.6.0.13

n To obtain the latest cumulative PSU, refer to the Critical Patch Update program at http://www.oracle.com/technetwork/topics/security/alerts-086861.html . Review the latest Advisory and click the "Fusion Middleware" link within to obtain the latest cumulative Patch Availability Document.

n Important: If you have a version older than 10.3.6 or 12.1.2, you must upgrade as per the Error Correction Policy: Note 950131.1, "Error Correction Support Dates for Oracle WebLogic Server".

n The initial patching requirements from November 2015 are listed below with patch links for all versions under error correction support:

WLS Release	Required Patches
12.2.1.0	Patch 22248372 for CVE-2015-4852
12.1.3.0	PSU 12.1.3.0.5 (Patch 21370953) + Patch 22248372 for CVE-2015-4852
12.1.2.0	PSU 12.1.2.0.7 (Patch 21364493) + Patch 22248372 for CVE-2015-4852
10.3.6.0	PSU 10.3.6.0.12 (Patch 20780171), Smart Update Patch ID: EJUW) + Patch 22248372 for CVE-2015-4852

l Patches are not password protected for versions listed above. Older versions are now expired.

l Due to issues with linking to the standard My Oracle Support patch download page, the above links go to an alternative updates.oracle.com location. If you have firewall rules on your network, you should adjust accordingly for the links to work.

l You may also access these patches by going to the "Patches and Updates" tab, perform a search on the above numbers and select your version.

REFERENCES

NOTE:2076338.1 - CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware

NOTE:1074055.1 - Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products

2.下載補丁，通過原文Required Patches處的鏈接下載補丁包。我所使用的版本為10.3.6.0，所以需要下載的補丁包為PSU 10.3.6.0.12 (Patch 20780171) + 10.3.6.0.12 Patch 22248372 for CVE-2015-4852

3.執(zhí)行打補丁操作（注意：不同的環(huán)境和本文的路徑會有所不同）

[cams@JJ129077 dateFiles]$ cd /home/cams/bea/middleware/wlserver_10.3/server/bin/
[cams@JJ129077 bin]$ ls
international setWLSEnv.sh startNodeManager.sh
[cams@JJ129077 bin]$ . ./setWLSEnv.sh
CLASSPATH=/home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/cams/bea/middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/usr/java/jdk1.6.0_45/lib/tools.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic.jar:/home/cams/bea/middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/home/cams/bea/middleware/wlserver_10.3/server/lib/webservices.jar:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/cams/bea/middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:.:/usr/java/jdk1.6.0_45/lib/dt.jar:/usr/java/jdk1.6.0_45/lib/tools.jar
PATH=/home/cams/bea/middleware/wlserver_10.3/server/bin:/home/cams/bea/middleware/modules/org.apache.ant_1.7.1/bin:/usr/java/jdk1.6.0_45/jre/bin:/usr/java/jdk1.6.0_45/bin:/usr/java/jdk1.6.0_45/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin::/home/cams/bin
Your environment has been set.
[cams@JJ129077 bin]$ java weblogic.version
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
Use 'weblogic.version -verbose' to get subsystem information
Use 'weblogic.utils.Versions' to get version information for all modules
[cams@JJ129077 zip]$ cd /home/cams/bea/middleware/utils/bsu
[cams@JJ129077 bsu]$ ./bsu.sh -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /home/cams/bea/middleware
ProductHome: /home/cams/bea/middleware/wlserver_10.3
PatchSystemDir: /home/cams/bea/middleware/utils/bsu
PatchDir: /home/cams/bea/middleware/patch_wls1036
Profile: Default
DownloadDir: /home/cams/bea/middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
上傳p20780171_1036_Generic.zip和p22248372_1036012_Generic.zip至DownloadDir:/home/cams/bea/middleware/utils/bsu/cache_dir路徑下，并解壓
[cams@JJ129077 cache_dir]$ unzip p20780171_1036_Generic.zip
Archive: p20780171_1036_Generic.zip
extracting: EJUW.jar
inflating: patch-catalog_22958.xml
inflating: README.txt
[cams@JJ129077 cache_dir]$ unzip p22248372_1036012_Generic.zip
Archive: p22248372_1036012_Generic.zip
inflating: patch-catalog_23501.xml
replace README.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: README1.txt
inflating: README1.txt
inflating: ZLNA.jar
如果不知道如何打補丁，可以參考p20780171_1036_Generic.zip中的README文件，README的內(nèi)容附在文末。（打補丁之前先把Weblogic停了，最簡單的就是殺進程）
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=EJUW -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:448)
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getPatchDependencies(PatchCatalogHelper.java:464)
at com.bea.plateng.patch.dao.cat.PatchCatalog.getPatchDependencies(PatchCatalog.java:56)
at com.bea.plateng.patch.dao.cat.PatchCatalogHelper.getInvalidatedPatchMap(PatchCatalogHelper.java:1621)
at com.bea.plateng.patch.PatchSystem.updatePatchCatalog(PatchSystem.java:436)
at com.bea.plateng.patch.PatchSystem.refresh(PatchSystem.java:130)
at com.bea.plateng.patch.PatchSystem.setCacheDir(PatchSystem.java:201)
at com.bea.plateng.patch.Patch.main(Patch.java:281)
[cams@JJ129077 bsu]$ ls
bsu.jar bsu.sh cache_dir patch-client.jar smartupdate.ico
[cams@JJ129077 bsu]$ vi bsu.sh
[cams@JJ129077 bsu]$ cat bsu.sh
#!/bin/sh
JAVA_HOME="/usr/java/jdk1.6.0_45"
MEM_ARGS="-Xms2560m -Xmx5120m"
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=EJUW -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
檢查沖突....
未檢測到?jīng)_突
開始安裝補丁程序 ID: EJUW
安裝 /home/cams/bea/middleware/utils/bsu/cache_dir/EJUW.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/BUG20780171_1036012.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxp_1.4.5.0.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
更新 /home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
舊清單值: Class-Path=
新清單值: Class-Path=../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jstl-1.2.war
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-notran-adp.rar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar
解壓縮 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-io-2.4.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/bin/wlsifconfig.sh
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-1.2.war
解壓縮 /home/cams/bea/middleware/modules/com.oracle.cie.config-wls_7.2.0.0.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.stax2_2.0.0.0_3-0-3.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlclient.jar
解壓縮 /home/cams/bea/middleware/modules/glassfish.jstl_1.2.0.1.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/bugsfixed/20780171-WLS-10.3.6.0.12_PSU_WebServices-ClientSide-Configuration-README.txt
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/common/deployable-libraries/jsf-2.0.war
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient+ssl.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/bugsfixed/WLS-PSU-bugsfixed.txt
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jdbcdrivers.xml
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/jms-xa-adp.rar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
備份 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar29284.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wls-api.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar44830.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.utils_1.10.0.0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear31614.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlstestclient.ear
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip5321.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wseeclient.zip
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war39919.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/uddiexplorer.war
解壓縮 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp
合并 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar55192.tmp 與 /home/cams/bea/middleware/modules/ws.databinding_1.3.0.0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar13700.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/webserviceclient.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar38734.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.apache_1.3.0.1.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar20032.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsafclient.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp
更新 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar16624.tmp 到 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3client.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar10325.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar11487.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlw-langx.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar1720.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmxclient.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp
更新 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar4576.tmp 到 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlt3jmsclient.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar51603.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlsaft3client.jar
解壓縮 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp
合并 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar5281.tmp 與 /home/cams/bea/middleware/modules/ws.databinding.plugins_1.3.0.0.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar34716.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.utils.full_1.10.0.0.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar59274.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar57658.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wljmsclient.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp
更新 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar58675.tmp 到 /home/cams/bea/middleware/modules/com.bea.core.weblogic.stax_1.11.0.0.jar
解壓縮 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp
合并 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar23342.tmp 與 /home/cams/bea/middleware/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar
結(jié)果: 成功
[cams@JJ129077 bsu]$
[cams@JJ129077 bsu]$ ./bsu.sh -install -patch_download_dir=/home/cams/bea/middleware/utils/bsu/cache_dir/ -patchlist=ZLNA -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -verbose
檢查沖突....
未檢測到?jīng)_突
開始安裝補丁程序 ID: ZLNA
安裝 /home/cams/bea/middleware/utils/bsu/cache_dir/ZLNA.jar
解壓縮 /home/cams/bea/middleware/patch_wls1036/patch_jars/BUG22248372_1036.jar
更新 /home/cams/bea/middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
舊清單值: Class-Path=../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
新清單值: Class-Path=../../../patch_jars/BUG22248372_1036.jar ../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
備份 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar 至 /home/cams/bea/middleware/patch_wls1036/backup/backup.jar
解壓縮 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp
合并 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar62442.tmp 與 /home/cams/bea/middleware/wlserver_10.3/server/lib/wlthint3client.jar
結(jié)果: 成功

4.查看剛更新的補丁信息

[cams@JJ129077 bsu]$ ./bsu.sh -prod_dir=/home/cams/bea/middleware/wlserver_10.3/ -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /home/cams/bea/middleware
ProductHome: /home/cams/bea/middleware/wlserver_10.3
PatchSystemDir: /home/cams/bea/middleware/utils/bsu
PatchDir: /home/cams/bea/middleware/patch_wls1036
Profile: Default
DownloadDir: /home/cams/bea/middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
Patch ID: EJUW
PatchContainer: EJUW.jar
Checksum: 1554039558
Severity: optional
Category: General
CR/BUG: 20780171
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.12
WLS PATCH SET UPDATE 10.3.
6.0.12
Patch ID: ZLNA
PatchContainer: ZLNA.jar
Checksum: -894774340
Severity: optional
Category: Security
CR/BUG: 22248372
Restart: true
Description: WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 2015
)
WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 20
15)
[cams@JJ129077 bsu]$ java weblogic.version
WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
Use 'weblogic.version -verbose' to get subsystem information
Use 'weblogic.utils.Versions' to get version information for all modules

5.附錄（README文件：Patch 20780171）

Oracle WebLogic Server Patch Set Update 10.3.6.0.12 README
=========================================================
This README provides information about how to apply Oracle WebLogic Server
Patch Set Update 10.3.6.0.12. It also provides information about reverting to
the original version.
Released: July, 2015
Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.12
--------------------------------------------------------------------------
PATCH_ID - EJUW
Patch number - 20780171
Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-----------------------------------------------------------------------
- WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis
(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.
PSU applied to a WebLogic Server installation using this recommended practice
affect all domains and servers sharing that installation.
- Login as same "user" with which the component being patched is installed.
- Stop all WebLogic servers.
- Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches
Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.12
-------------------------------------------------------------
- unzip p20780171_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory
Note: You must make sure that the target directory for unzip has required write and executable permissions
for "user" with which the component being patched is installed.
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Where, WL_HOME is the path of the WebLogic home
Reference: BSU Command line interface
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm
Post-Installation Instructions
------------------------------
a) Restart all WebLogic servers.
b) The following command is a simple way to determine the application of WebLogic Server PSU.
$ . $WL_HOME/server/bin/setWLSEnv.sh
$ java weblogic.version
In the following example output, 10.3.6.0.12 is the installed WebLogic Server PSU.
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171
Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.12
---------------------------------------------------------------
- Stop all WebLogic Servers
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Post-Uninstallation Instructions
--------------------------------
a) Restart all WebLogic Servers.
Oracle recommends that you see following key notes
--------------------------------------------------
- My Oracle Support NOTE: 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates)
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1306505.1
- My Oracle Support NOTE: 1470197.1 Master Note on WebLogic Server Patch Set Updates (PSUs)
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1470197.1
- My Oracle Support NOTE: 1471192.1 - Replacement Patches for WebLogic Server PSU Conflict Resolution
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1471192.1
- SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher
https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1607170.1
- Smart Update Applying Patches to Oracle WebLogic Server
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/intro.htm
==========================================================================
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
==========================================================================

看完了這篇文章，相信你對“Weblogic如何修復"Java反序列化"過程遠程命令執(zhí)行漏洞”有了一定的了解，如果想了解更多相關(guān)知識，歡迎關(guān)注億速云行業(yè)資訊頻道，感謝各位的閱讀！

向AI問一下細節(jié)

Weblogic如何修復"Java反序列化"過程遠程命令執(zhí)行漏洞

APPLIES TO:

PURPOSE

DETAILS

REFERENCES

猜你喜歡

最新資訊

相關(guān)推薦

相關(guān)標簽