Aquaboutic | Focus Security Research | Vulnerability Exploit | POC

Home

weblogic patching to fix java deserialization vulnerability

Posted by zura at 2020-03-15
all

In the previous article, it was recorded that the vulnerability of Java deserialization was fixed by the deployment of web agent, which was fixed by patching. See doc ID 2075927.1 for details

OS:Oracle Linux Server release 6.1 64bit

Weblogic:10.3.6

1. Backup backup

2. Install patch readme for all operations

2.1 update PSU

2.2 patching

1. backup

Do a good job of backup, whether it can be backed up or not, and ensure that there is a backup

2. upload PSU

Upload the Weblogic patch. It is recommended to put it in the {MW ﹣ home} / utils / BSU / cache ﹣ dir directory to ensure some directory changes and execution permissions

The storage location is / data / Oracle / Middleware / utils / BSU / cache? Dir

2.1 operate according to Readme

2.2 stop Weblogic

2.3 update PSU

2.4 start Weblogic

2.5 verify patch information

Or you can verify it by logging in to the console

Direct to home server profile adminserver role adminserver

3. Patch p22248372 ABCD generic.zip

3.1 patch with Smart Update Utility

If exception in thread "main" java.lang.outofmemoryerror occurs during running

You can modify the parameters in bsu.sh

Adjust the memory size used in MEM "args =" - xms256m - xmx512m ". Refer to MOS (DOC ID 1154089.1)

Click the green button under apply to apply the patch

Click OK after completion to apply the patch

This patch has been successfully applied.

You will also see the following information in the startup log

The test tool is shown in the attachment: WebLogic EXP.jar

Reference link