21984589-26519424-28710912-29204678-31178492.rar

Oracle WebLogic Server Patch Set Update 10.3.6.0.190416 README ============================================================== This README provides information about how to apply Oracle WebLogic Server Patch Set Update 10.3.6.0.190416. It also provides information about reverting to the original version. Released: April, 2019 Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.190416 -------------------------------------------------------------------------- Patch ID - U5I2 Patch Number - 29204678 Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.190416 ----------------------------------------------------------------------- - WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis (or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis. PSU applied to a WebLogic Server installation using this recommended practice affect all domains and servers sharing that installation. - Login as same "user" with which the component being patched is installed. - Stop all WebLogic servers. - Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches - *** NOTE: In order to be Security compliant for vulnerability fixes released as part of CPUOct2017, Oracle recommends the use of the following JDK version: Java SE Development Kit 7, Update 131 (JDK 7u131) or higher (refer MOS notes 1492980.1 and 1439822.1) https://support.oracle.com/epmos/faces/DocumentDisplay?id=1439822.1 https://support.oracle.com/epmos/faces/DocumentDisplay?id=1492980.1 - If you are running with a security manager and experience java.io.SerializablePermission "serialFilter" permission exceptions, then you will need to update the weblogic policy file to include the following line: permission java.io.SerializablePermission "serialFilter"; in the coherence.jar section of the weblogic policy file: grant codeBase "file:@WL_HOME/../coherence/lib/coherence.jar" { Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.190416 ------------------------------------------------------------- - unzip p28710912_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory Note: You must make sure that the target directory for unzip has required write and executable permissions for "user" with which the component being patched is installed. - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Where, WL_HOME is the path of the WebLogic home Reference: BSU Command line interface http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm Post-Installation Instructions ------------------------------ a) Restart all WebLogic servers. b) The following command is a simple way to determine the application of WebLogic Server PSU. $ . $WL_HOME/server/bin/setWLSEnv.sh $ java weblogic.version In the following example output, 10.3.6.0.190416 is the installed WebLogic Server PSU. WebLogic Server 10.3.6.0.190416 PSU Patch for BUG29204678 * A note about the weblogic.policy file * If you are using a Java security manager (for example, you use -Djava.security.manager to start up WebLogic Server), you must ensure that the codeBase in your policy file points to the location where the patches are installed. The policy file is specified by -Djava.security.policy during server startup. By default, this is weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory. This is an example of what should be added to the weblogic.policy file for the installed patches: grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; }; The default weblogic.policy file is a sample. If you use it, you must modify it. Refer to the following URL for additional information: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13711/server_prot.htm Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.190416 --------------------------------------------------------------- - Stop all WebLogic Servers - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Post-Uninstallation Instructions -------------------------------- a) Restart all WebLogic Servers. Bugs Fixed By This Patch ------------------------ WLS Patch Set Update 10.3.6.0.190416 ------------------------------------------- 27122975 UDDIEXPLORER.SETUP.GETCOOKIE NPE INCIDENT GENERATION IN CUSTOMER PODS 29140508 CVE-2019-2645 29140551 CVE-2019-2649 29140549 CVE-2019-2648 29140540 CVE-2019-2647 29140516 CVE-2019-2646 26791760 CVE-2019-2568 29140555 CVE-2019-2650 28998139 CVE-2016-1000031 16706262 CHANGE PROXY RELATED VARS FROM STATIC VAR TO INSTANCE VAR 28762025 WLS PSU 10.3.6.0.181016 DOESN'T INCLUDE THE FIX 13729611 28874066 CVE-2019-2615 28891448 CVE-2019-2618 WLS Patch Set Update 10.3.6.0.190115 ------------------------------------------- 26624375 NODEMANAGER MEMORY LEAK ON SSL HANDSHAKE FAILURES 17390029 SUB COORDINATOR URL USES SSL, THEN FUTURE RESOURCE WILL GET INFECTED WITH SAME 19706551 CVE-2019-2395 26353793 CVE-2019-2398 28110087 CVE-2019-2418 28626991 CVE-2019-2452 WLS Patch Set Update 10.3.6.0.181016 ------------------------------------------- 20020455 CVE-2018-2902 28140800 Bypass version string checks when non-Oracle JDK is used. 28409586 CVE-2018-3252 28375173 CVE-2018-3245 27988175 CVE-2018-3191 28389003 CVE-2018-3250 28381528 CVE-2018-3248 28381538 CVE-2018-3249 WLS Patch Set Update 10.3.6.0.180717 ------------------------------------------- 27819370 CVE-2018-2987 27948303 CVE-2018-2893 18233844 Fixed a datasource hang during rollback if the database was hung 25993295 CVE-2013-1768 27445260 CVE-2018-2935 27934864 CVE-2018-2998 WLS Patch Set Update 10.3.6.0.180417 ------------------------------------------- 27043684 Clarify unclear verbiage in a MultiPool connect failure message 26439373 CVE-2017-5645 25987400 Fixed an issue where it wasn't possible to provide indirect transaction propagation between servers that are on different networks 26916941 Fixed an issue that was causing SoapCodec.getOperation() to return null 13421981 Fixed an issue where WLS was failing to collect an automatic thread dump when JDK7 is used 26608537 CVE-2018-2628 WLS Patch Set Update 10.3.6.0.171017 ------------------------------------------- 24818026 CVE-2017-10271 26044754 CVE-2017-10334, CVE-2017-10336 19763916 CVE-2017-10152 26144830 CVE-2017-10352 18492020 Fixes an issue with an unexpected RuntimeException if the MaxThreadsConstraint is exceeded WLS Patch Set Update 10.3.6.0.170718 ------------------------------------------- 24533963 CVE-2013-2027 16844206 Updated Jython to recognize Windows 2012 16199510 Fixed an issue with the closure of initial context when creating JMX connection 19687084 Fixed an issue where startNodeManager() would fail if the 'block' argument was set to 'true' 22935339 Fixed an issue where the processor load column in the Admin console displayed N/A with JDK 1.7 21562338 Fixed an issue where a Connection.isClosed() call returned false when the real connection had been closed because of a internal driver condition 17780911 Fixed an issue where very long running statements might cause the pool to incorrectly retract the connection as if it were idle 18084750 Moved the server threads used for processing Oracle FAN messages from the self-tuning thread pool to a Java thread pool 21241854 Fixed a case where a failover callback for an MDS was not called 20463542 Provide an option to allow early-used connections within a global transaction to go back into the pool when logically closed rather than be held to the end of the transaction 13729611 Ensure t