WEBLOGIC 11G (10.3.6) windows PSU 升级10.3.6.0.171017(Java 反序列化漏洞升级)

Posted 翰墨文海 QQ1319820057

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WEBLOGIC 11G (10.3.6) windows PSU 升级10.3.6.0.171017(Java 反序列化漏洞升级)相关的知识,希望对你有一定的参考价值。

10.3.6版本的weblogic需要补丁到10.3.6.0.171017(2017年10月份的补丁,Java 反序列化漏洞升级),oracle官方建议至少打上2017年10月份补丁;10.3.6以下的版本需要升级至10.3.6 然后在补丁升级。

 

一、查看版本

1、用下面命令重配环境变量
D:\Oracle\Middleware\wlserver_10.3\server\bin
setWLSEnv.cmd

1.1、查看weblogic version

D:\Oracle\Middleware\utils\bsu>java weblogic.version

WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050

Use ‘weblogic.version -verbose‘ to get subsystem information

Use ‘weblogic.utils.Versions‘ to get version information for all modules

D:\Oracle\Middleware\utils\bsu

C:\Program Files (x86)\Java\jdk1.6.0_43

1.2、weblogic version详细信息
D:\Oracle\Middleware\utils\bsu>java weblogic.version -verbose

WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015 ImplVersion: 10.3.6.0
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST 2015 ImplVersion: 10.3.6.0
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 ImplVersion: 10.3.6.0
Oracle WebLogic Server Module Dependencies 10.3 Thu Sep 29 17:47:37 EDT 2011 ImplVersion: 10.3.6.0
Oracle WebLogic Server on JRockit Virtual Edition Module Dependencies 10.3 Wed Jun 15 17:54:24 EDT 2011 ImplVersion: 10.3.6.0
Oracle Virtual Machine Manager Client implementation ImplVersion: 1.1.0.0
WebLogic Descriptors for J2EE 1.6 Wed Dec 1 17:14:50 EST 2010 ImplVersion: 1.6.0.0
WebLogic Descriptors for J2EE 1.6 Binding Bundle ImplVersion: 1.6.0.0
WebLogic Specific Descriptors 1.4 Mon Aug 8 09:26:15 MDT 2011 ImplVersion: 1.4.0.0
WebLogic Specific Descriptors 1.4 Binding Bundle ImplVersion: 1.4.0.0
WebLogic Datasource 1.10 Sat Nov 12 08:11:09 PST 2011 ImplVersion: 1.10.0.0
WebLogic Datasource 1.10 Binding Bundle ImplVersion: 1.10.0.0
WebLogic Beangen Client Capable 1.7 Wed Feb 24 16:02:48 PST 2010 ImplVersion: 1.7.0.0
WebLogic Beangen 1.7 Binding Bundle ImplVersion: 1.7.0.0
WebLogic Management Core Interfaces Client Capable 2.9 Thu Aug 11 17:17:14 PDT 2011 ImplVersion: 2.9.0.1
WebLogic Management Core Interfaces 2.9 Binding Bundle ImplVersion: 2.9.0.1
WebLogic EJBGen Client Capable 1.1 Tue Nov 2 03:30:53 PDT 2010 ImplVersion: 1.1.0.3
WebLogic STAX Client Capable 1.10 Wed Jun 8 09:12:28 EDT 2011 ImplVersion: 1.10.0.0
WebLogic Utils Client Capable 1.10 Sat Oct 29 15:34:23 MDT 2011 ImplVersion: 1.10.0.0
WebLogic SAAJ 1.8 Mon Oct 17 02:49:29 PDT 2011 ImplVersion: 1.8.0.0
WebLogic Apache Classes Client Capable 1.3 Mon Sep 19 23:58:26 EDT 2011 ImplVersion: 1.3.0.1
WebLogic BeanInfo Caching and Discovery Client Capable 2.4 Sat Oct 25 20:46:29 PDT 2008 ImplVersion: 2.4.0.0
WebLogic Descriptor Client Capable 1.10 Wed Aug 10 12:59:06 PDT 2011 ImplVersion: 1.10.0.0
Oracle JFR 1.0 Thu Feb 18 19:06:33 PST 2010 ImplVersion: 1.0.0.0
WebLogic Diagnostics Core Interfaces Client Capable 2.6 Thu Oct 6 01:11:08 EDT 2011 ImplVersion: 2.6.0.0
WebLogic Diagnostics Logging Client Capable 1.2 Fri Dec 12 11:37:59 MST 2008 ImplVersion: 1.2.0.0
WebLogic Diagnostics Query Module Client Capable 1.3 Fri Jul 1 07:32:00 PDT 2011 ImplVersion: 1.3.0.0
WebLogic Diagnostics Instrumentor Tool 1.8 Thu Oct 6 01:11:08 EDT 2011 ImplVersion: 1.8.0.0
WebLogic Diagnostics Instrumentor Config Tool 1.8 Thu Oct 6 01:11:08 EDT 2011 ImplVersion: 1.8.0.0
WebLogic Diagnostics JRockit Flight Recorder Interfaces Client Capable 1.2 Wed Dec 1 17:41:28 EST 2010 ImplVersion: 1.2.0.0
WebLogic i18n Runtime Support Client Capable 1.9 Thu Sep 1 07:41:47 PDT 2011 ImplVersion: 1.9.0.0
WebLogic i18n Build Support Client Capable 1.5 Fri Feb 19 15:03:15 EST 2010 ImplVersion: 1.5.0.0
WebLogic I18N tools Client Capable 1.4 Thu Sep 1 07:41:47 PDT 2011 ImplVersion: 1.4.0.0
WebLogic Management JMX Interfaces 1.4 Fri Sep 16 16:19:28 EDT 2011 ImplVersion: 1.4.2.0
WebLogic Security Provider Generation Tool 1.5 Wed Oct 14 16:39:28 MDT 2009 ImplVersion: 1.5.0.0
WebLogic Security Provider Generation Tool Client Capable 1.5 Wed Oct 14 16:39:28 MDT 2009 ImplVersion: 1.5.0.0
WebLogic Messaging Kernel Client Capable 1.8 Mon Aug 23 21:42:11 EDT 2010 ImplVersion: 1.8.0.0
WebLogic Resource Pool Client Capable 1.8 Thu Oct 6 16:06:35 PDT 2011 ImplVersion: 1.8.0.0
WebLogic Socket Muxer API Client Capable 1.3 Thu Aug 18 16:24:35 EDT 2011 ImplVersion: 1.3.0.0
WebLogic RMI Client Capable 1.11 Tue Sep 20 15:07:37 EDT 2011 ImplVersion: 1.11.0.0
WebLogic Store Client Capable 1.8 Mon Oct 3 09:57:28 PDT 2011 ImplVersion: 1.8.0.0
WebLogic STORE GXA Client Capable 1.7 Fri Apr 1 14:30:50 PDT 2011 ImplVersion: 1.7.0.0
WebLogic Store Admin Tool Client Capable 1.3 Thu Apr 28 09:32:45 PDT 2011 ImplVersion: 1.3.0.0
WebLogic JDBC Store Client Capable 1.3 Fri Sep 16 08:41:14 MDT 2011 ImplVersion: 1.3.1.0
WebLogic JTA implementation Client Capable 2.7 Sat Oct 15 07:12:58 PDT 2011 ImplVersion: 2.7.1.0
WebLogic Utils 1.10 Sat Oct 29 15:34:23 MDT 2011 ImplVersion: 1.10.0.0
WebLogic Utility Classloader implementations Client Capable 2.0 Wed May 18 10:00:41 PDT 2011 ImplVersion: 2.0.0.0
WebLogic java compiler utils package Client Capable 1.2 Thu Feb 11 03:38:50 EST 2010 ImplVersion: 1.2.0.0
WebLogic Utils for working with Expressions Client Capable 1.4 Tue Sep 29 14:45:53 EDT 2009 ImplVersion: 1.4.0.0
WebLogic Utils for Dynamically Generated Class Wrappers Client Capable 1.4 Fri Feb 13 14:44:23 MST 2009 ImplVersion: 1.4.0.0
WebLogic Timers Client Capable 1.7 Fri Feb 4 14:23:26 MST 2011 ImplVersion: 1.7.1.0
WebLogic Work Manager Client Capable 1.11 Thu Oct 6 11:12:55 PDT 2011 ImplVersion: 1.11.0.0
WebLogic Workarea Client Capable 1.8 Tue Jun 28 04:08:48 EDT 2011 ImplVersion: 1.8.0.0
WebLogic XML XPath Implementation Client Capable 1.5 Thu Sep 1 22:11:12 EDT 2011 ImplVersion: 1.5.0.0
WebLogic Security 1.0 Fri Aug 19 08:44:53 MDT 2011 ImplVersion: 6.2.0.0
WebLogic security ssl classes 1.0 Tue Jun 15 17:39:53 EDT 2010 ImplVersion: 1.0.0.0
WebLogic Nodemanager Plugin Client Capable 1.3 Tue Nov 18 18:23:10 EST 2008 ImplVersion: 1.3.0.0
WebLogic JMS Pool Client Capable 1.9 Wed Apr 13 13:03:26 EDT 2011 ImplVersion: 1.9.0.0
WebLogic Http Pub/Sub Module Client Capable 1.7 Fri Jul 8 13:06:46 EDT 2011 ImplVersion: 1.7.0.0
WebLogic WebApp Container Public API Client Capable 1.4 Fri Oct 1 20:01:15 PDT 2010 ImplVersion: 1.4.0.0
WebLogic Coherence Descriptor 1.2 Thu Sep 1 08:29:31 PDT 2011 ImplVersion: 1.2.0.0
WebLogic Coherence Descriptor 1.2 Binding Bundle ImplVersion: 1.2.0.0
WebLogic WebService Public API‘s 1.1 Tue Sep 21 22:15:05 EDT 2010 ImplVersion: 1.1.0.0
WebLogic EclipseLink Integration 1.0 Thu Feb 25 14:56:43 PST 2010 ImplVersion: 1.0.0.0
WebLogic SCA Client 1.0 Thu Feb 25 00:27:10 EST 2010 ImplVersion: 1.0.0.0
WebLogic RAC Module UCP Client Capable 1.1 Thu Oct 6 16:06:35 PDT 2011 ImplVersion: 1.1.0.0
Oracle Universal Connection Pool ImplVersion: 11.2.0.3.0

SERVICE NAME VERSION INFORMATION
============ ===================
Kernel Commonj WorkManager v1.1
TimerService Commonj TimerManager v1.1
CorbaService CORBA 2.3, IIOP 1.2, RMI-IIOP SFV2, OTS 1.2, CSIv2 Level 0 + Stateful
XMLService XML 1.1
Transaction Service JTA 1.1
JDBCService JSR-221, JDBC 4.0
CustomResourceServerService 1.0.0.0
Servlet Container Servlet 2.5, JSP 2.1
WebServices JSR-173, JAX-RPC, JSR-109, WSDL, WS-Addressing, WS-Policy, JAX-B, JAX-R, UDDI, WS-Management(HP), JAXP-1.3, WS-Security
Transaction Stop Service JTA 1.1
Pre Admin Singleton Services S 1.0
Singleton Services Batch Manag 1.0
Post Admin Singleton Services 1.0
EJB Container EJB 3.0
MDBService EJB 3.0
EJBTimerService EJB 3.0
J2EE Connector 1.5
JMS Service JMS 1.1


D:\Oracle\Middleware\utils\bsu>


1.3、weblogic version 详细信息
D:\Oracle\Middleware\utils\bsu>bsu.cmd -prod_dir=D:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view

报错信息如下:
D:\Oracle\Middleware\utils\bsu>bsu.cmd -prod_dir=D:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view
Exception in thread "Thread-0" Exception in thread "Main Thread" java.lang.OutOfMemoryError
java.lang.NoClassDefFoundError: com/bea/plateng/patch/PatchSystem
at com.bea.plateng.patch.PatchClientHelper.getAllPatchDetails(PatchClientHelper.java:74)
at com.bea.plateng.patch.PatchInstallationHelper.cleanupPatchSets(PatchInstallationHelper.java:130)
at com.bea.plateng.patch.PatchTarget.<init>(PatchTarget.java:272)
at com.bea.plateng.patch.PatchTargetFactory.create(PatchTargetFactory.java:30)
at com.bea.plateng.patch.PatchTargetHelper.getPatchTargets(PatchTargetHelper.java:204)
at com.bea.plateng.patch.PatchTargetHelper.updatePatchTargets(PatchTargetHelper.java:119)
at com.bea.plateng.patch.PatchTargetHelper.getAllPatchTargets(PatchTargetHelper.java:74)
at com.bea.plateng.patch.PatchTargetHelper.getPatchTarget(PatchTargetHelper.java:247)
at com.bea.plateng.patch.Patch.getPatchTarget(Patch.java:432)
at com.bea.plateng.patch.Patch.getPatchTarget(Patch.java:416)
at com.bea.plateng.patch.Patch.main(Patch.java:251)

环境变量没有问题:修改bsu.cmd 运行内存
=======================================================
@ECHO OFF
SETLOCAL

SET JAVA_HOME=D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10
FOR %%i IN ("%JAVA_HOME%") DO SET JAVA_HOME=%%~fsi

SET JAVA=%1
IF DEFINED JAVA (
SET JAVA=java
) ELSE (
SET JAVA=javaw
)

set MEM_ARGS=-Xms512m -Xmx1024m --修改后结果

"%JAVA_HOME%\bin\%JAVA%" %MEM_ARGS% -jar patch-client.jar %*

ENDLOCAL
=========================================================
正常显示如下:

D:\Oracle\Middleware\utils\bsu>bsu.cmd -prod_dir=D:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: D:\Oracle\Middleware
ProductHome: D:\Oracle\Middleware\wlserver_10.3
PatchSystemDir: D:\Oracle\Middleware\utils\bsu
PatchDir: D:\Oracle\Middleware\patch_wls1036
Profile: Default
DownloadDir: D:\Oracle\Middleware\utils\bsu\cache_dir
JavaHome: D:\Oracle\Middleware\jdk160_29
JavaVersion: 1.6.0_29
JavaVendor: Sun


Patch ID: EJUW
PatchContainer: EJUW.jar
Checksum: 1554039558
Severity: optional
Category: General
CR/BUG: 20780171
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.12
WLS PATCH SET UPDATE 10.3.6.0.12

Patch ID: ZLNA
PatchContainer: ZLNA.jar
Checksum: -894774340
Severity: optional
Category: Security
CR/BUG: 22248372
Restart: true
Description: WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 2015
)
WEBLOGIC SERVER CVE-2015-4852 SECURITY ALERT PATCH (NOV 20
15)

二、打补丁
先卸载之前已打的补丁。。。
====================================================
卸载:
D:\Oracle\Middleware\utils\bsu>bsu.cmd -install -patch_download_dir=d:\Oracle\Middleware\utils\bsu\cache_dir -patchlist=FMJJ -prod_dir=D:\Oracle\Middleware\wlserver_10.3
检查冲突..........
检测到冲突 - 解决冲突情形并重新执行补丁程序安装
下面是冲突情形详细资料:
补丁程序 FMJJ 与以下补丁程序互相排斥且不能共存: EJUW,ZLNA
终止批处理操作吗(Y/N)? y

D:\Oracle\Middleware\utils\bsu>

- Stop all WebLogic Servers
- Navigate to the {MW_HOME}/utils/bsu directory.
- Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}

D:\Oracle\Middleware\utils\bsu>bsu.cmd -remove -patchlist=ZLNA -prod_dir=D:\Oracle\Middleware\wlserver_10.3
D:\Oracle\Middleware\utils\bsu>bsu.cmd -remove -patchlist=EJUW -prod_dir=D:\Oracle\Middleware\wlserver_10.3
检查冲突...........
检测到冲突 - 解决冲突情形并重新执行补丁程序删除过程
下面是冲突情形详细资料:
必须先删除下列补丁程序, 才能删除所选补丁程序: ZLNA

D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>bsu.cmd -remove -patchlist=ZLNA -prod_dir=D:\Oracle\Middleware\wlserver_10.3
检查冲突...........
未检测到冲突

删除补丁程序 ID: ZLNA..
结果: 成功

D:\Oracle\Middleware\utils\bsu>
D:\Oracle\Middleware\utils\bsu>bsu.cmd -remove -patchlist=EJUW -prod_dir=D:\Oracle\Middleware\wlserver_10.3
检查冲突...........
未检测到冲突

删除补丁程序 ID: EJUW..
结果: 成功


Post-Uninstallation Instructions
--------------------------------
a) Restart all WebLogic Servers.
====================================================

 

1、解压补丁包zip文件,得到两个文件 一个.jar 一个.xml 将这个两个文件拷贝到weblogic目录下utils/bsu/cache_dir 中,如果没有cache_dir 自己创建。当然这个目录也可以自己指定。

unzip p26519424_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir

 

2、应用补丁
D:\Oracle\Middleware\utils\bsu>bsu.cmd -install -patch_download_dir=d:\Oracle\Middleware\utils\bsu\cache_dir -patchlist=FMJJ -prod_dir=D:\Oracle\Middleware\wlserver_10.3

说明
-patch_download_dir 是上步中那两个文件所在的目录
-prod_dir weblogic的家目录
-patchlist 补丁ID号,就是补丁包里.jar文件的文件名


======================================

 漫长等待然后提示.......

======================================

D:\Oracle\Middleware\utils\bsu>bsu.cmd -install -patch_download_dir=d:\Oracle\Middleware\utils\bsu\cache_dir -patchlist=FMJJ -prod_dir=D:\Oracle\Middleware\wlserver_10.3
检查冲突.........
未检测到冲突

正在安装补丁程序 ID: FMJJ..
结果: 成功

D:\Oracle\Middleware\utils\bsu>

三、验证

a) Restart all WebLogic servers.
b) The following command is a simple way to determine the application of WebLogic Server PSU.

D:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

D:\Oracle\Middleware\utils\bsu>bsu.cmd -prod_dir=D:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: D:\Oracle\Middleware
ProductHome: D:\Oracle\Middleware\wlserver_10.3
PatchSystemDir: D:\Oracle\Middleware\utils\bsu
PatchDir: D:\Oracle\Middleware\patch_wls1036
Profile: Default
DownloadDir: d:\Oracle\Middleware\utils\bsu\cache_dir
JavaHome: D:\Oracle\Middleware\jdk160_29
JavaVersion: 1.6.0_29
JavaVendor: Sun


Patch ID: FMJJ
PatchContainer: FMJJ.jar
Checksum: 591477727
Severity: optional
Category: General
CR/BUG: 26519424
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.171017 WLS PATCH SET UPDATE 10.3.6.0.171017


java weblogic.version

In the following example output, 10.3.6.0.171017 is the installed WebLogic Server PSU.

WebLogic Server 10.3.6.0.171017 PSU Patch for BUG26519424



这时候启动weblogic,在标准输出中也可以看到加载了新补丁:
<2015-10-26 下午02时43分41秒 CST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0.12 PSU P
atch for BUG20780171 THU JUN 18 15:54:42 IST 2015

 












































































































































































































































以上是关于WEBLOGIC 11G (10.3.6) windows PSU 升级10.3.6.0.171017(Java 反序列化漏洞升级)的主要内容,如果未能解决你的问题,请参考以下文章

Weblogic 10.3.6.0 集群搭建 中间件安装,weblogic 安装

weblogic11g使用apache2.2做软负载以及session复制的配置

图解Windows下安装WebLogic

linux下weblogic11g成功安装后,启动报错Getting boot identity from user

Weblogic 集群搭建

weblogic漏洞系列-后台上传文件getshell