Oracle WebLogic Server Patch Set Update 10.3.6.0.190115 README
==============================================================
This README provides information about how to apply Oracle WebLogic Server
Patch Set Update 10.3.6.0.190115. It also provides information about reverting to
the original version.
Released: January, 2019
Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.190115
--------------------------------------------------------------------------
Patch ID - 7HKN
Patch Number - 28710912
Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.190115
-----------------------------------------------------------------------
- WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis
(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.
PSU applied to a WebLogic Server installation using this recommended practice
affect all domains and servers sharing that installation.
- Login as same "user" with which the component being patched is installed.
- Stop all WebLogic servers.
- Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches
- *** NOTE: In order to be Security compliant for vulnerability fixes released as part of CPUOct2017,
Oracle recommends the use of the following JDK version:
Java SE Development Kit 7, Update 131 (JDK 7u131) or higher (refer MOS notes 1492980.1 and 1439822.1)
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1439822.1
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1492980.1
- If you are running with a security manager and experience java.io.SerializablePermission "serialFilter" permission exceptions,
then you will need to update the weblogic policy file to include the following line:
permission java.io.SerializablePermission "serialFilter";
in the coherence.jar section of the weblogic policy file:
grant codeBase "file:@WL_HOME/../coherence/lib/coherence.jar" {
Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.190115
-------------------------------------------------------------
- unzip p28710912_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory
Note: You must make sure that the target directory for unzip has required write and executable permissions
for "user" with which the component being patched is installed.
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Where, WL_HOME is the path of the WebLogic home
Reference: BSU Command line interface
http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm
Post-Installation Instructions
------------------------------
a) Restart all WebLogic servers.
b) The following command is a simple way to determine the application of WebLogic Server PSU.
$ . $WL_HOME/server/bin/setWLSEnv.sh
$ java weblogic.version
In the following example output, 10.3.6.0.190115 is the installed WebLogic Server PSU.
WebLogic Server 10.3.6.0.190115 PSU Patch for BUG28710912
* A note about the weblogic.policy file *
If you are using a Java security manager (for example, you use -Djava.security.manager to start up WebLogic Server),
you must ensure that the codeBase in your policy file points to the location where the patches are installed.
The policy file is specified by -Djava.security.policy during server startup.
By default, this is weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory.
This is an example of what should be added to the weblogic.policy file for the installed patches:
grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" {
permission java.security.AllPermission;
};
The default weblogic.policy file is a sample. If you use it, you must modify it. Refer to the following URL for additional information:
http://download.oracle.com/docs/cd/E17904_01/web.1111/e13711/server_prot.htm
Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.190115
---------------------------------------------------------------
- Stop all WebLogic Servers
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
Post-Uninstallation Instructions
--------------------------------
a) Restart all WebLogic Servers.
Bugs Fixed By This Patch
------------------------
WLS Patch Set Update 10.3.6.0.190115
-------------------------------------------
26624375 NODEMANAGER MEMORY LEAK ON SSL HANDSHAKE FAILURES
17390029 SUB COORDINATOR URL USES SSL, THEN FUTURE RESOURCE WILL GET INFECTED WITH SAME
19706551 CVE-2019-2395
26353793 CVE-2019-2398
28110087 CVE-2019-2418
28626991 CVE-2019-2452
WLS Patch Set Update 10.3.6.0.181016
-------------------------------------------
20020455 CVE-2018-2902
28140800 Bypass version string checks when non-Oracle JDK is used.
28409586 CVE-2018-3252
28375173 CVE-2018-3245
27988175 CVE-2018-3191
28389003 CVE-2018-3250
28381528 CVE-2018-3248
28381538 CVE-2018-3249
WLS Patch Set Update 10.3.6.0.180717
-------------------------------------------
27819370 CVE-2018-2987
27948303 CVE-2018-2893
18233844 Fixed a datasource hang during rollback if the database was hung
25993295 CVE-2013-1768
27445260 CVE-2018-2935
27934864 CVE-2018-2998
WLS Patch Set Update 10.3.6.0.180417
-------------------------------------------
27043684 Clarify unclear verbiage in a MultiPool connect failure message
26439373 CVE-2017-5645
25987400 Fixed an issue where it wasn't possible to provide indirect transaction propagation between servers that are on different networks
26916941 Fixed an issue that was causing SoapCodec.getOperation() to return null
13421981 Fixed an issue where WLS was failing to collect an automatic thread dump when JDK7 is used
26608537 CVE-2018-2628
WLS Patch Set Update 10.3.6.0.171017
-------------------------------------------
24818026 CVE-2017-10271
26044754 CVE-2017-10334, CVE-2017-10336
19763916 CVE-2017-10152
26144830 CVE-2017-10352
18492020 Fixes an issue with an unexpected RuntimeException if the MaxThreadsConstraint is exceeded
WLS Patch Set Update 10.3.6.0.170718
-------------------------------------------
24533963 CVE-2013-2027
16844206 Updated Jython to recognize Windows 2012
16199510 Fixed an issue with the closure of initial context when creating JMX connection
19687084 Fixed an issue where startNodeManager() would fail if the 'block' argument was set to 'true'
22935339 Fixed an issue where the processor load column in the Admin console displayed N/A with JDK 1.7
21562338 Fixed an issue where a Connection.isClosed() call returned false when the real connection had been closed because of a internal driver condition
17780911 Fixed an issue where very long running statements might cause the pool to incorrectly retract the connection as if it were idle
18084750 Moved the server threads used for processing Oracle FAN messages from the self-tuning thread pool to a Java thread pool
21241854 Fixed a case where a failover callback for an MDS was not called
20463542 Provide an option to allow early-used connections within a global transaction to go back into the pool when logically closed rather than be held to the end of the transaction
13729611 Ensure the WLS statement cache is turned off if replay or oracle statement cache enabled
13337000 Ensure the the init() call for a pool connection includes the original cause if an exception occurs
13516117 Fixed an issue to make seconds-to-trust more reliable
17873235 Fixed a problem where shutting down multiple datasources in a MultiDataSource showed 'not registered' exceptions
16168052 Fixed an issue to make DBMS failure recovery more reliable for MySQL
24618043 Fixed an AGL datasource deadlock window during a RAC node UP event
13861764 Fixed an issue