Weblogic反序列化远程代码执行漏洞(CVE-2018-2893)

Oracle WebLogic Server Patch Set Update 10.3.6.0.180717 README ========================================================= This README provides information about how to apply Oracle WebLogic Server Patch Set Update 10.3.6.0.180717. It also provides information about reverting to the original version. Released: Jul, 2018 Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.180717 -------------------------------------------------------------------------- PATCH_ID - B47X Patch number - 27919965 Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.180717 ----------------------------------------------------------------------- - WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis (or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis. PSU applied to a WebLogic Server installation using this recommended practice affect all domains and servers sharing that installation. - Login as same "user" with which the component being patched is installed. - Stop all WebLogic servers. - Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches - For users of Oracle JDKs and JVMs, we strongly recommend applying the latest Java Critical Patch Updates (CPUs) as soon as they are released. Please refer to Obtaining Java SE (JDK/JRE) for Oracle Fusion Middleware Products (Doc ID 1506916.1) for further information. https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1506916.1 - If you are running with a security manager and experience java.io.SerializablePermission "serialFilter" permission exceptions, then you will need to update the weblogic policy file to include the following line: permission java.io.SerializablePermission "serialFilter"; in the coherence.jar section of the weblogic policy file: grant codeBase "file:@WL_HOME/../coherence/lib/coherence.jar" { Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.180717 ------------------------------------------------------------- - unzip p27919965_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory Note: You must make sure that the target directory for unzip has required write and executable permissions for "user" with which the component being patched is installed. - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Where, WL_HOME is the path of the WebLogic home Reference: BSU Command line interface http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm Post-Installation Instructions ------------------------------ a) Restart all WebLogic servers. b) The following command is a simple way to determine the application of WebLogic Server PSU. $ . $WL_HOME/server/bin/setWLSEnv.sh $ java weblogic.version In the following example output, 10.3.6.0.180717 is the installed WebLogic Server PSU. WebLogic Server 10.3.6.0.180717 PSU Patch for BUG27919965 * A note about the weblogic.policy file * If you are using a Java security manager (for example, you use -Djava.security.manager to start up WebLogic Server), you must ensure that the codeBase in your policy file points to the location where the patches are installed. The policy file is specified by -Djava.security.policy during server startup. By default, this is weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory. This is an example of what should be added to the weblogic.policy file for the installed patches: grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; }; The default weblogic.policy file is a sample. If you use it, you must modify it. Refer to the following URL for additional information: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13711/server_prot.htm Uninstalling Oracle WebLogic Server Patch Set Update 10.3.6.0.180717 --------------------------------------------------------------- - Stop all WebLogic Servers - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME} Post-Uninstallation Instructions -------------------------------- a) Restart all WebLogic Servers. Oracle recommends that you see following key notes -------------------------------------------------- - My Oracle Support NOTE: 1306505.1 Announcing Oracle WebLogic Server PSUs (Patch Set Updates) https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1306505.1 - My Oracle Support NOTE: 1470197.1 Master Note on WebLogic Server Patch Set Updates (PSUs) https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1470197.1 - Known Issues for Oracle WebLogic Server (OWLS) 10.3.6.0.X Patch Set Updates (Doc ID 2137515.1) https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=2137515.1 - My Oracle Support NOTE: 1471192.1 - Replacement Patches for WebLogic Server PSU Conflict Resolution https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1471192.1 - SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1607170.1 - Smart Update Applying Patches to Oracle WebLogic Server http://docs.oracle.com/cd/E14759_01/doc.32/e14143/intro.htm ========================================================================== Copyright © 2010, 2011, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any