cve-2019-2725修复使用到的p28710912_1036_Generic.zip

Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 README ============================================================== This README provides information about how to apply Oracle WebLogic Server Patch Set Update 10.3.6.0.190115. It also provides information about reverting to the original version. Released: January, 2019 Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 -------------------------------------------------------------------------- Patch ID - 7HKN Patch Number - 28710912 Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 ----------------------------------------------------------------------- - WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis (or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis. PSU applied to a WebLogic Server installation using this recommended practice affect all domains and servers sharing that installation. - Login as same "user" with which the component being patched is installed. - Stop all WebLogic servers. - Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches - *** NOTE: In order to be Security compliant for vulnerability fixes released as part of CPUOct2017, Oracle recommends the use of the following JDK version: Java SE Development Kit 7, Update 131 (JDK 7u131) or higher (refer MOS notes 1492980.1 and 1439822.1) https://support.oracle.com/epmos/faces/DocumentDisplay?id=1439822.1 https://support.oracle.com/epmos/faces/DocumentDisplay?id=1492980.1 - If you are running with a security manager and experience java.io.SerializablePermission "serialFilter" permission exceptions, then you will need to update the weblogic policy file to include the following line: permission java.io.SerializablePermission "serialFilter"; in the coherence.jar section of the weblogic policy file: grant codeBase "file:@WL_HOME/../coherence/lib/coherence.jar" { Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 ------------------------------------------------------------- - unzip p28710912_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory Note: You must make sure that the target directory for unzip has required write and executable permissions for "user" with which the component being patched is installed. - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Where, WL_HOME is the path of the WebLogic home Reference: BSU Command line interface http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm Post-Installation Instructions ------------------------------ a) Restart all WebLogic servers. b) The following command is a simple way to determine the application of WebLogic Server PSU. $ . $WL_HOME/server/bin/setWLSEnv.sh $ java weblogic.version In the following example output, 10.3.6.0.190115 is the installed WebLogic Server PSU. WebLogic Server 10.3.6.0.190115 PSU Patch for BUG28710912 * A note about the weblogic.policy file * If you are using a Java security manager (for example, you use -Djava.security.manager to start up WebLogic Server), you must ensure that the codeBase in your policy file points to the location where the patches are installed. The policy file is specified by -Djava.security.policy during server startup. By default, this is weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory. This is an example of what should be added to the weblogic.policy file for the installed patches: grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; }; The default weblogic.policy file is a sample. If you use it, you must modify it. Refer to the following URL for additional information: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13711/server_prot.htm Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 --------------------------------------------------------------- - Stop all WebLogic Servers - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Post-Uninstallation Instructions -------------------------------- a) Restart all WebLogic Servers. Bugs Fixed By This Patch ------------------------ WLS Patch Set Update 10.3.6.0.190115 ------------------------------------------- 26624375 NODEMANAGER MEMORY LEAK ON SSL HANDSHAKE FAILURES 17390029 SUB COORDINATOR URL USES SSL, THEN FUTURE RESOURCE WILL GET INFECTED WITH SAME 19706551 CVE-2019-2395 26353793 CVE-2019-2398 28110087 CVE-2019-2418 28626991 CVE-2019-2452 WLS Patch Set Update 10.3.6.0.181016 ------------------------------------------- 20020455 CVE-2018-2902 28140800 Bypass version string checks when non-Oracle JDK is used. 28409586 CVE-2018-3252 28375173 CVE-2018-3245 27988175 CVE-2018-3191 28389003 CVE-2018-3250 28381528 CVE-2018-3248 28381538 CVE-2018-3249 WLS Patch Set Update 10.3.6.0.180717 ------------------------------------------- 27819370 CVE-2018-2987 27948303 CVE-2018-2893 18233844 Fixed a datasource hang during rollback if the database was hung 25993295 CVE-2013-1768 27445260 CVE-2018-2935 27934864 CVE-2018-2998 WLS Patch Set Update 10.3.6.0.180417 ------------------------------------------- 27043684 Clarify unclear verbiage in a MultiPool connect failure message 26439373 CVE-2017-5645 25987400 Fixed an issue where it wasn't possible to provide indirect transaction propagation between servers that are on different networks 26916941 Fixed an issue that was causing SoapCodec.getOperation() to return null 13421981 Fixed an issue where WLS was failing to collect an automatic thread dump when JDK7 is used 26608537 CVE-2018-2628 WLS Patch Set Update 10.3.6.0.171017 ------------------------------------------- 24818026 CVE-2017-10271 26044754 CVE-2017-10334, CVE-2017-10336 19763916 CVE-2017-10152 26144830 CVE-2017-10352 18492020 Fixes an issue with an unexpected RuntimeException if the MaxThreadsConstraint is exceeded WLS Patch Set Update 10.3.6.0.170718 ------------------------------------------- 24533963 CVE-2013-2027 16844206 Updated Jython to recognize Windows 2012 16199510 Fixed an issue with the closure of initial context when creating JMX connection 19687084 Fixed an issue where startNodeManager() would fail if the 'block' argument was set to 'true' 22935339 Fixed an issue where the processor load column in the Admin console displayed N/A with JDK 1.7 21562338 Fixed an issue where a Connection.isClosed() call returned false when the real connection had been closed because of a internal driver condition 17780911 Fixed an issue where very long running statements might cause the pool to incorrectly retract the connection as if it were idle 18084750 Moved the server threads used for processing Oracle FAN messages from the self-tuning thread pool to a Java thread pool 21241854 Fixed a case where a failover callback for an MDS was not called 20463542 Provide an option to allow early-used connections within a global transaction to go back into the pool when logically closed rather than be held to the end of the transaction 13729611 Ensure the WLS statement cache is turned off if replay or oracle statement cache enabled 13337000 Ensure the the init() call for a pool connection includes the original cause if an exception occurs 13516117 Fixed an issue to make seconds-to-trust more reliable 17873235 Fixed a problem where shutting down multiple datasources in a MultiDataSource showed 'not registered' exceptions 16168052 Fixed an issue to make DBMS failure recovery more reliable for MySQL 24618043 Fixed an AGL datasource deadlock window during a RAC node UP event 13861764 Fixed an issue