精华内容
下载资源
问答
  • 2020年4月weblogic最新补丁合集,涉及版本Oracle Weblogic 10.3.6.0.0、Oracle Weblogic 12.2.1.3.0、Oracle Weblogic 12.2.1.4.0
  • Weblogic-2021年4月20日补丁 版本Weblogic 10.3.6.0.0 Patch 32403651
  • 2020年4月weblogic最新补丁合集,涉及版本Oracle Weblogic 10.3.6.0.0、Oracle Weblogic 12.2.1.3.0、Oracle Weblogic 12.2.1.4.0
  • weblogic12.2.1.3最新补丁包,可修复七月份以及之前的漏洞。
  • weblogic补丁2020.4.15号发布.zip https://www.oracle.com/security-alerts/cpuapr2020.html 包含了:p30857748_1036_Generic.zip p30965714_122130_Generic.zip p30970477_122140_Generic.zip
  • 最新版本的weblogic服务器补丁安装包,内附补丁操作手册
  • weblogic12c补丁包.zip

    2021-01-13 16:41:35
    通过绿盟扫描测试,解决大多数漏洞问题,需要搭配补丁安装工具Opatch13.9.4.2以上版本使用
  • Oracle WebLogic Server 10.3.6 2020年4月发布的累积更新补丁包 p30857748_1036_Generic 主要修复各种Bug和安全漏洞等问题 安装之前须先卸载老的补丁 遭到过攻击的服务器、域 建议删除域并重建
  • weblogic12.1.3补丁

    2018-06-21 16:57:31
    weblogic12.1.3补丁包,CVE-2017-10352,p27419391_121300_Generic.zip
  • weblogic 10.3.6补丁

    2018-03-15 17:22:00
    weblogic10.3.6补丁,包含p20780171_1036_Generic.zip p22248372_1036012_Generic.zip
  • 声明:请应用在进行补丁升级安装前做好相关备份操作。 适用范围:本文档示例为Windows操作系统下,weblogic版本为10.3.6的环境。...最新补丁信息: 补丁包:p31162736_10360200414_Generic.zip 发布时间:2020年7月

    声明:请应用在进行补丁升级安装前做好相关备份操作。

    适用范围:本文档示例为Windows操作系统下,weblogic版本为10.3.6的环境。

    Oracle linux、centos等其他Linux系统,以及其他版本weblogic软件的补丁安装步骤基本相同,请自行“获取其他版本补丁”,以及将文档中“.cmd后缀更换为.sh”、“更换为实际weblogic安装目录”或查阅官方文档。

    最新补丁信息:

    补丁包:p31162736_10360200414_Generic.zip

    发布时间:2020年7月3日

    补丁下载:https://download.csdn.net/download/qq_20712595/12629505

    漏洞信息:Oracle官方2020年7月补丁集(PSU),解决最新发现的weblogic的T3 和 IIOP 协议缺陷导致的“远程代码执行漏洞”。

    CVE-2020-14625、CVE-2020-14644、CVE-2020-14687 影响 版本:

    WebLogic 12.2.1.3.0

    WebLogic 12.2.1.4.0

    WebLogic 14.1.1.0.0

    CVE-2020-14645 影响版本:

    WebLogic 10.3.6.0.0

    WebLogic 12.1.3.0.0

    WebLogic 12.2.1.3.0

    WebLogic 12.2.1.4.0

    WebLogic 14.1.1.

    展开全文
  • weblogic补丁

    2018-05-03 12:56:02
    2018年4月最新补丁,包含11g和12c版本,内附配置说明。
  • weblogic 10.3.6补丁 2018年7月17日
  • weblogic 10.3.6补丁 2018年7月17日
  • weblogic10.3.6补丁.rar

    2019-11-13 19:55:54
    本次补丁是针对CVE-2019-2904、CVE-2019-2905、CVE-2019-2906等远程代码执行漏洞进行的处理。本次漏洞中有31个可在无需身份验证的情况下被远程利用,即可在不需要用户凭据的情况下通过网络被应用,进行增、删、改、...
  • Weblogic12C最新补丁 2021年10月19日发布第4季度补丁 p33416868_122140_Generic.zip
  • windows系统 weblogic 12.2.1.3.0.打补丁操作流程,包含最新补丁和13.9.4.2.4Optach所需的jar包,opatch_generic.jar
  • weblogic各版本的最新补丁怎么找

    千次阅读 2021-01-21 09:39:07
    Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS) (Doc ID 1470197.1) 10.3.6 Patch Set Updates Important:PSUs are initially announced in the CPU Patch Availability Document ...

    WebLogic Server PSU - Popular Known Issues and Information (Doc ID 2458832.1)

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=170748304563868&parent=DOCUMENT&sourceId=1470197.1&id=2458832.1&_afrWindowMode=0&_adf.ctrl-state=9tpjgcpl4_492#aref_section22

    2749094.1

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=170598131141035&id=2749094.1&_afrWindowMode=0&_adf.ctrl-state=9tpjgcpl4_345#babdieag4

    看这个找即可 Note 2458832.1 WebLogic Server PSU - Popular Known Issues

    PSUDescriptionPatch DownloadCPU/PSU Patch Availability DocumentSmart Update Patch IDBugs Fixed
    Document

     

    10.3.6.0.210119

     

    January 2021 Patch Set Update (PSU) for WebLogic Server 10.3.6.0

    Click the document in the next column to go directly to the most current patches for 10.3.6 -->

    My Oracle Support
    Note 2725756.1

    Ensure to obtain the current cycle's WLS PSU, JDK update, and other security patches from the CPU document!

     

    1YWL

     

    See README

    10.3.6.0.201020

    October 2020 Patch Set Update (PSU) for WebLogic Server 10.3.6.0

    Patch 31641257

    My Oracle Support
    Note 2694898.1

    NA7A

    See README

     

    3.3.47.5 Oracle WebLogic Server 10.3.6
    All of the patches listed in the table below should be applied to an Oracle WebLogic Server 10.3.6 installation

    Product HomePatchAdvisory NumberComments
    Oracle WebLogic Server 10.3.6See Note 2736202.1, Oracle Critical Patch Update (CPU) January 2021 for Oracle Java SE

    See Note 2736202.1, Oracle Critical Patch Update (CPU) January 2021 for Oracle Java SE

    Download locations and installation instructions in above document

    See Note 1492980.1, How to Install and Maintain the Java SE Installed or Used with FMW 11g/12c Products
     WLS PATCH SET UPDATE 10.3.6.0.210119 Patch 32052267 or laterCVE-2020-14750, CVE-2021-2047, CVE-2019-10086, CVE-2021-1994, CVE-2021-1995, CVE-2021-1996, CVE-2021-2109, CVE-2021-2075

    CVE-2020-14750 is included in Jan PSU Patch.

    See Note 2421487.1 - Oracle Strongly recommends applying minimum JDK version (JDK 7 u191 or later) to make some of the Weblogic Server Deserialization vulnerability fixes effective.

    See Note 2665794.1, How to Restrict T3/T3S Protocol Traffic for WebLogic Server

    See Note 1607170.1, SSL Authentication Problem Using WebLogic 10.3.6 and 12.1.1 With JDK1.7.0_40 or Higher

    See Note 2395745.1, April 2018 Critical Patch Update: Additional Information about the Oracle WebLogic Server Vulnerability CVE-2018-2628

    See Note 2421480.1, July 2018 Critical Patch Update: Additional information about the Oracle WebLogic Server Vulnerability CVE-2018-2933.

    See Note 2076338.1 July 2018 Critical Patch Update: Additional information about the Oracle WebLogic Server Vulnerability CVE-2015-4852

    展开全文
  • weblogic 10.3.6最新补丁

    2018-05-01 17:09:35
    2018年4月18日爆出的漏洞,漏洞名称死:CVE-2018-2628,可以执行系统命令,补丁是使用正版用户登录下载,目前oracle官网还没有对外公布
  • weblogic12c补丁安装

    万次阅读 热门讨论 2018-01-10 21:15:38
    1.根据漏洞报告下载补丁 2.补丁包上传解压到Linux 3.关于OPatch ...由于绿盟扫描出了机器上安装的weblogic12c存在漏洞,需要进行补丁升级。 weblogic安装的版本是12.1.3,需要使用Generic通用包安装的w...


    由于绿盟扫描出了机器上安装的weblogic12c存在漏洞,需要进行补丁升级。

    weblogic安装的版本是12.1.3,需要使用Generic通用包安装的weblogic才能进行补丁升级,参见Linux命令行安装weblogic12c

    1.根据漏洞报告下载补丁

    ①根据漏洞扫描报告的解决办法,管理员账号登录Oracle,打开链接http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
    访问解决办法链接
    ②找到weblogic对应版本点击Fusion Middleware
    找到weblogic对应版本点击Fusion Middleware
    ③跳转的页面菜单选择Oracle Fusion Middleware
    跳转的页面菜单选择Oracle Fusion Middleware
    ④再选择Oracle WebLogic Server
    再选择weblogic server
    ⑤找到weblogic对应版本点击Patch 26519417
    选择Patch26519417
    ⑥跳转的页面中点击选择下载
    点击选择下载
    ⑦弹出的窗口上点击下载p26519417_121300_Generic.zip
    点击进行下载zip包

    2.补丁包上传解压到Linux

    将下载的p26519417_121300_Generic.zip补丁包上传到Linux服务器上

    将补丁包解压到当前目录下的PATCH_TOP目录下

    [cyyun@cyyun ~]$ unzip -d PATCH_TOP p26519417_121300_Generic.zip
    

    3.关于OPatch

    OPatch is a Java-based utility that runs on all supported operating systems and requires installation of the Oracle Universal Installer. It is used to apply patches to Oracle software.

    OPatch是一个基于java的程序,可以运行在所有支持的操作系统,需要安装Oracle通用安装程序(即OUI)。它用于向Oracle软件应用补丁程序。

    需要注意的是OUI和OPatch不是单独安装的,在安装Oracle的产品时会安装OUI和OPatch;如果在安装的Oracle产品中没有找到,说明Oracle产品可能是以开发包方式安装的,即安装的不是生产环境使用的产品。

    查看OPatch的版本

    [cyyun@cyyun ~]$ cd /usr/local/products/weblogic12c/OPatch
    [cyyun@cyyun OPatch]$ ./opatch version
    OPatch Version: 13.2.0.0.0
    
    OPatch succeeded.
    

    4.安装补丁

    4.1单个补丁安装

    cd /home/cyyun/PATCH_TOP/26519417/
    /usr/local/products/weblogic12c/OPatch/opatch apply
    

    或者执行命令./opatch apply /home/cyyun/PATCH_TOP/26519417/

    [cyyun@cyyun OPatch]$ ./opatch apply /home/cyyun/PATCH_TOP/26519417/ 
    Oracle Interim Patch Installer version 13.2.0.0.0
    Copyright (c) 2014, Oracle Corporation.  All rights reserved.
    
    
    Oracle Home       : /usr/local/products/weblogic12c
    Central Inventory : /usr/local/products/oraInventory
       from           : /usr/local/products/weblogic12c/oraInst.loc
    OPatch version    : 13.2.0.0.0
    OUI version       : 13.2.0.0.0
    Log file location : /usr/local/products/weblogic12c/cfgtoollogs/opatch/26519417_Jan_09_2018_23_53_57/apply2018-01-09_23-53-44PM_1.log
    
    
    OPatch detects the Middleware Home as "/usr/local/products/weblogic12c"
    
    Jan 09, 2018 11:54:04 PM oracle.sysman.oii.oiii.OiiiInstallAreaControl initAreaControl
    INFO: Install area Control created with access level  0
    Applying interim patch '26519417' to OH '/usr/local/products/weblogic12c'
    Verifying environment and performing prerequisite checks...
    All checks passed.
    
    Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
    (Oracle Home = '/usr/local/products/weblogic12c')
    
    
    Is the local system ready for patching? [y|n]
    y
    User Responded with: Y
    Backing up files...
    
    Patching component oracle.wls.workshop.code.completion.support, 12.1.3.0.0...
    
    Patching component oracle.wls.workshop.code.completion.support, 12.1.3.0.0...
    
    Patching component oracle.css.mod, 12.1.3.0.0...
    
    Patching component oracle.css.mod, 12.1.3.0.0...
    
    Patching component oracle.fmwconfig.common.shared, 12.1.3.0.0...
    
    Patching component oracle.fmwconfig.common.shared, 12.1.3.0.0...
    
    Patching component oracle.wls.common.nodemanager, 12.1.3.0.0...
    
    Patching component oracle.wls.common.nodemanager, 12.1.3.0.0...
    
    Patching component oracle.webservices.base, 12.1.3.0.0...
    
    Patching component oracle.webservices.base, 12.1.3.0.0...
    
    Patching component oracle.wls.server.shared.with.core.engine, 12.1.3.0.0...
    
    Patching component oracle.wls.server.shared.with.core.engine, 12.1.3.0.0...
    
    Patching component oracle.wls.shared.with.cam, 12.1.3.0.0...
    
    Patching component oracle.wls.shared.with.cam, 12.1.3.0.0...
    
    Patching component oracle.webservices.orawsdl, 12.1.3.0.0...
    
    Patching component oracle.webservices.orawsdl, 12.1.3.0.0...
    
    Patching component oracle.wls.libraries.mod, 12.1.3.0.0...
    
    Patching component oracle.wls.libraries.mod, 12.1.3.0.0...
    
    Patching component oracle.wls.admin.console.en, 12.1.3.0.0...
    
    Patching component oracle.wls.admin.console.en, 12.1.3.0.0...
    
    Patching component oracle.webservices.wls, 12.1.3.0.0...
    
    Patching component oracle.webservices.wls, 12.1.3.0.0...
    
    Patching component oracle.wls.core.app.server, 12.1.3.0.0...
    
    Patching component oracle.wls.core.app.server, 12.1.3.0.0...
    
    Patching component oracle.wls.clients, 12.1.3.0.0...
    
    Patching component oracle.wls.clients, 12.1.3.0.0...
    
    Patching component oracle.wls.wlsportable.mod, 12.1.3.0.0...
    
    Patching component oracle.wls.wlsportable.mod, 12.1.3.0.0...
    
    Patching component oracle.fmwconfig.common.wls.shared, 12.1.3.0.0...
    
    Patching component oracle.fmwconfig.common.wls.shared, 12.1.3.0.0...
    
    Patching component oracle.wls.libraries, 12.1.3.0.0...
    
    Patching component oracle.wls.libraries, 12.1.3.0.0...
    
    Verifying the update...
    Patch 26519417 successfully applied
    Log file location: /usr/local/products/weblogic12c/cfgtoollogs/opatch/26519417_Jan_09_2018_23_53_57/apply2018-01-09_23-53-44PM_1.log
    
    OPatch succeeded.
    

    4.2查看已安装的补丁

    [cyyun@cyyun OPatch]$ ./opatch lspatches
    Jan 10, 2018 12:08:24 AM oracle.sysman.oii.oiii.OiiiInstallAreaControl initAreaControl
    INFO: Install area Control created with access level  0
    26519417;WLS PATCH SET UPDATE 12.1.3.0.171017
    
    OPatch succeeded.
    

    4.3多个补丁安装

    例:/opt/patches/目录下有两个补丁
    /opt/patches/15941858
    /opt/patches/15955138

    cd /opt/patches/
    /usr/local/products/weblogic12c/OPatch/opatch napply -id 15941858,15955138
    

    4.4单个补丁回滚

    cd /home/cyyun/PATCH_TOP/
    /usr/local/products/weblogic12c/OPatch/opatch rollback -id 26519417
    

    4.5多个补丁回滚

    cd /opt/patches/
    /usr/local/products/weblogic12c/OPatch/opatch nrollback -id 15941858,15955138
    

    4.6验证补丁是否应用到Oracle Home

    To verify what patches have been applied to an Oracle home, or to find out additional information about the Oracle home, use the opatch lsinventory command.
    验证什么补丁已经应用到Oracle Home,或了解Oracle Home附加的信息,使用opatch lsinventory命令。

    [cyyun@cyyun OPatch]$ ./opatch lsinventory
    Oracle Interim Patch Installer version 13.2.0.0.0
    Copyright (c) 2014, Oracle Corporation.  All rights reserved.
    
    
    Oracle Home       : /usr/local/products/weblogic12c
    Central Inventory : /usr/local/products/oraInventory
       from           : /usr/local/products/weblogic12c/oraInst.loc
    OPatch version    : 13.2.0.0.0
    OUI version       : 13.2.0.0.0
    Log file location : /usr/local/products/weblogic12c/cfgtoollogs/opatch/opatch2018-01-11_21-49-31PM_1.log
    
    
    OPatch detects the Middleware Home as "/usr/local/products/weblogic12c"
    
    Jan 11, 2018 9:49:47 PM oracle.sysman.oii.oiii.OiiiInstallAreaControl initAreaControl
    INFO: Install area Control created with access level  0
    Lsinventory Output file location : /usr/local/products/weblogic12c/cfgtoollogs/opatch/lsinv/lsinventory2018-01-11_21-49-31PM.txt
    
    --------------------------------------------------------------------------------
    
    Interim patches (1) :
    
    Patch  26519417     : applied on Tue Jan 09 23:57:38 CST 2018
    Unique Patch ID:  21550701
    Patch description:  "WLS PATCH SET UPDATE 12.1.3.0.171017"
       Created on 4 Oct 2017, 11:34:16 hrs PST8PDT
       Bugs fixed:
         18538501, 18376812, 21746415, 18746515, 17394051, 19668883, 20333386
         14236278, 22498352, 21522926, 20720853, 20585084, 22910817, 23063611
         19472793, 20692185, 25029531, 22749253, 22107941, 21081720, 23099318
         24802574, 19175526, 25720769, 25695948, 21347054, 25801353, 18854885
         24469063, 22690676, 19730967, 18727635, 18305935, 19556868, 19080525
         20266379, 21069524, 18722098, 19917893, 19705162, 19973098, 18082758
         20613957, 18428696, 22175246, 18945422, 20229977, 18559995, 19467894
         20226151, 23099223, 18144979, 23640078, 22900750, 22836462, 20430490
         25590885, 23342794, 25955347, 25439226, 22746640, 26144830, 18276961
         19942900, 19533331, 18922324, 19339238, 20906638, 19500276, 20169972
         19917991, 19585666, 19879223, 22200449, 22200491, 22200594, 22247869
         19212729, 20758488, 21964759, 20246732, 19463153, 22249331, 24750930
         22486599, 22860104, 19150123, 24305841, 23103220, 20205647, 19234430
         20717353, 18485034, 18597348, 18387934, 19828316, 21549018, 21562338
         19287842, 18589879, 19907066, 18753794, 19988824, 19265688, 18289179
         19576633, 21107126, 21169554, 18718889, 20323632, 19351700, 19874466
         19703527, 21252292, 19883023, 21516492, 21615827, 22339918, 21519519
         20786128, 20672949, 20907322, 22574362, 21836275, 18123824, 22550116
         19775778, 21647599, 22987229, 20157787, 21119215, 23326877, 25059150
         25164167, 24341200, 22586217, 24837293, 26596622, 26044754, 26632886
         20774032, 25205507, 25917709, 19033547, 19459949, 18671042, 18729264
         19852007, 19268444, 19299358, 19425078, 21039390, 21083766, 20062321
         19689036, 21545042, 21294990, 22829635, 22850769, 19150684, 21189073
         18974055, 19170125, 23555480, 22383225, 22261241, 19549507, 21225816
         20197139, 20207088, 21562704, 25577947, 24399682, 20162146, 21270142
         19763916, 24376591, 18746053, 24618043, 19066738, 20206879, 20814890
         20080751, 18836900, 19953516, 22200523, 20721340, 19477196, 20080046
         20128089, 21129379, 16815912, 21603584, 23107300, 22378134, 20739167
         23223461, 20419243, 20736912, 22541225, 23735210, 24522430, 22836557
         23004029, 23733891, 20311530, 19565095, 21158132, 20193085, 22901740
         22950801, 25192229, 25497443, 20969389, 25988919, 16956849, 25118289
         21902034, 20952475, 26861216, 24818026, 26797049, 18968900, 18859387
         19287874, 18912482, 20523619, 18432174, 18481239, 18466848, 19001915
         20758863, 17702917, 19928803, 20044804, 20087183, 22097019, 21561271
         19986568, 19263075, 22599178, 17889922, 21834255, 18438079, 23732201
         25317743, 24297731, 26144926, 25534314, 24533963, 20629733, 22540656
         25743005, 21652727, 21241854, 25174732, 20047315, 19926398, 18691894
         17012341, 18964349, 17721032, 20985893, 19936917, 16562029, 20798352
         20471785, 19422493, 19297004, 21756751, 21495475, 19790693, 17968606
         22248079, 22100830, 22049932, 21947902, 20220959, 19947189, 20783846
         20551651, 22666897, 18806464, 22999996, 20671165, 19865550, 22759067
         20432957, 20256190, 25375968, 25522149, 24817968, 25743025, 25823774
         19721047, 24828619, 26563889, 25355394, 22083678, 21748022
    
    
    
    --------------------------------------------------------------------------------
    
    OPatch succeeded.
    

    本文参考:
    Oracle® Fusion Middleware Patching with OPatch

    展开全文
  • Weblogic10.3.6补丁升级包2021.04(亲测有效,附安装过程),淘宝卖200块的
  • weblogic10.3.6最新补丁下载,weblogic11,weblogic12最新补丁下载
  • Oracle WebLogic Server 12.2.1.3 2020年10月发布的累积更新补丁包 p31961038_122130_Generic 主要修复各种Bug和安全漏洞等问题 遭到过攻击的服务器、域 建议删除域并重建
  • 分享weblogic安全补丁安装步骤及补丁下载过程,需要注意的是对于不同版本,安装过程有些许差异。
  • Weblogic12C 2021年4月20日发布的最新补丁 p32698246_122140_Generic.zip
  • weblogic补丁安装

    2018-08-12 22:24:25
    如何修复weblogic漏洞,升级,打补丁!步骤详细,非常容易看懂
  • WebLogic 12.2.1.4 2021年1月和4月补丁,p32253037_122140_Generic和p32698246_122140_Generic
  • 该压缩包里面包含了三个文件,p29814665_122130_Generic.zip是weblogic12.2.1.3.0的7月份最新补丁。如果opatch的版本低,则解压安装p28186730_139400_Generic.zip先升级opatch的版本,安装时注意jdk版本是否正确。...
  • 今年早些时候,作者在博客中公开了一个Oracle WebLogic Server中的反序列化漏洞。...在此博客文章中,我们将详细介绍此最新补丁中的漏洞。 https://www.zerodayinitiative.com/blog/2020/3/5/cve-2020.

    今年早些时候,作者在博客中公开了一个Oracle WebLogic Server中的反序列化漏洞。此漏洞是由Oracle补丁的,并分配了CVE-2020-2555。但是,VNPT ISC的研究员Quynh Le向ZDI提交了一个漏洞,该漏洞表明了可以绕过补丁利用此漏洞。Oracle 已通报此标记为CVE-2020-2883的漏洞可用于攻击。在此博客文章中,我们将详细介绍此最新补丁中的漏洞。

     https://www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
     https://www.us-cert.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883
     https://www.zerodayinitiative.com/advisories/ZDI-20-570/

    0x01  补丁绕过

    CVE-2020-2555的原始补丁程序未修补以下gdaget利用链的部分:

     BadAttributeValueExpException.readObject()
       com.tangosol.util.filter.LimitFilter.toString() // <--- CVE-2020-2555在此处补丁
         com.tangosol.util.extractor.ChainedExtractor.extract()
             com.tangosol.util.extractor.ReflectionExtractor().extract()
                 Method.invoke()
                 //...
                 com.tangosol.util.extractor.ReflectionExtractor().extract()
                 Method.invoke()
                     Runtime.exec()

    调用ChainedExtractor.extract()仍将导致远程执行代码,Quynh Le的报告显示,ChainedExtractor.extract()仍然可以通过ExtractorComparator和AbstractExtractor类进行访问。我们从查看compare()方法ExtractorComparator:开始分析

     public int compare(T o1, T o2) {
         Comparable a1 = (o1 instanceof InvocableMap.Entry) ? (Comparable)((InvocableMap.Entry)o1).extract(this.m_extractor) 
                                                                                     : (Comparable)this.m_extractor.extract(o1);
               Comparable a2 = (o2 instanceof InvocableMap.Entry) ? (Comparable)((InvocableMap.Entry)o2).extract(this.m_extractor)
                                                                                      : (Comparable)this.m_extractor.extract(o2);
              if (a1 == null)
         {
           return (a2 == null) ? 0 : -1;
         }
              if (a2 == null)
         {
           return 1;
         }
              return a1.compareTo(a2);
       }

    如上所示,仍然可以通过设置ChainedExtractor.extract()为this.m_extractor的实例来调用ChainedExtractor。

    同样,compare()也可以使用AbstractExtractor抽象类的方法。

     public  int compare(Object o1,Object o2){ return  SafeComparator 。compareSafe(null,extract(o1),extract(o2)); }

    MultiExtractor类扩展AbstractExtractor可以到达ChainedExtractor.extract():

     public abstract class AbstractCompositeExtractor   extends AbstractExtractor   [...Truncated...]
       public class MultiExtractor
       extends AbstractCompositeExtractor
       [...Truncated...]
          public Object extract(Object oTarget) {
         if (oTarget == null)
         {
           return null;
         }
              ValueExtractor[] aExtractor = getExtractors();
         int cExtractors = aExtractor.length;
         Object[] aValue = new Object[cExtractors];
              for (int i = 0; i < cExtractors; i++)
         {
           aValue[i] = aExtractor[i].extract(oTarget);<-----------------------
         }
              return new ImmutableArrayList(aValue);
       }

    0x02  完整利用链

    为了开发一个完整的gadget利用链,我们需要有调用compare()的能力,从方法Comparator到达readObject()。使用的公开记录的方法有PriorityQueue,有如下gadget类:BeanShell1,Jython1,CommonsCollections2,CommonsBeanutils1,CommonsCollections4和Groovy1:

     java.util 。PriorityQueue 。readObject()
       java.util 。PriorityQueue 。heapify()
       java.util 。PriorityQueue 。siftDown()
       java.util 。PriorityQueue 。siftDownUsingComparator()

    SiftUpUsingComparator()可以调用compare()任意方法Comparator:

     private void siftUpUsingComparator(int paramInt, E paramE) {
         while (paramInt > 0) {
           int i = paramInt - 1 >>> 1;
           Object object = this.queue[i];
           if (this.comparator.compare(paramE, object) >= 0)<----------------
             break; 
           this.queue[paramInt] = object;
           paramInt = i;
         } 
         this.queue[paramInt] = paramE;
       }

    还有其他实现此目的的方法。例如,使用以下方法:

     javax.management 。BadAttributeValueExpException 。readObject()  
       com.tangosol.internal.sleepycat.persist.evolve 。变异。toString()
         java.util.concurrent 。ConcurrentSkipListMap $ SubMap 。尺寸()
         java.util.concurrent 。ConcurrentSkipListMap $ SubMap 。isBeforeEnd()
           java.util.concurrent 。ConcurrentSkipListMap 。cpr()

    总而言之,toString()Mutations类的方法可能导致调用ConcurrentSkipListMap.size():

     ConcurrentSkipListMap$SubMap.class
         public int size() {
             Comparator cmp = m.comparator;
             long count = 0;
             for (ConcurrentSkipListMap.Node n = loNode(cmp);
                 isBeforeEnd(n, cmp); = Integer.MAX_VALUE ? Integer.MAX_VALUE : (int)count;
             }
       [...Truncated...]
            boolean isBeforeEnd(ConcurrentSkipListMap.Node n, Comparator cmp) {
             ....
             int c = cpr(cmp, k, hi); 0 || (c == 0 && !hiInclusive))
                     return false;
                 return true;
             } 
       [...Truncated...]
          static final int cpr(Comparator c, Object x, Object y) {
             return (c != null) ? c.compare(x, y) : ((Comparable)x).compareTo(y); <--------
         }

    从ConcurrentSkipListMap.size()中可以调用compare()任意方法Comparator。

    0x03  演示漏洞利用

    通过使用上述方法,针对ExtractorComparator编译了以下完整的gadget链:

     javax.management.BadAttributeValueExpException.readObject()  
       com.tangosol.internal.sleepycat.persist.evolve.Mutations.toString()
         java.util.concurrent.ConcurrentSkipListMap$SubMap.size()
         java.util.concurrent.ConcurrentSkipListMap$SubMap.isBeforeEnd()
           java.util.concurrent.ConcurrentSkipListMap.cpr()
             com.tangosol.util.comparator.ExtractorComparator.compare()

    以下视频演示了此gadget链用于通过T3协议获得RCE。

     https://www.youtube.com/watch?v=HM3Z-I998b4

    对于该AbstractExtractor示例,使用了以下链:

     java.util.PriorityQueue.readObject()
       java.util.PriorityQueue.heapify()
       java.util.PriorityQueue.siftDown()
       java.util.PriorityQueue.siftDownUsingComparator()
       com.tangosol.util.extractor.AbstractExtractor.compare()
         com.tangosol.util.extractor.MultiExtractor.extract()
           com.tangosol.util.extractor.ChainedExtractor.extract()
             //...
             Method.invoke()
                 //...
               Runtime.exec()

    以下视频演示了此gadget链用于通过T3协议获得RCE:

     https://youtu.be/juIucTRZUL8

    0x04  通过HTTP利用漏洞

    应当注意,此漏洞位于Coherence 库中。 在其代码路径中具有反序列化路径的任何具有Coherence 库的应用程序也容易受到攻击。一个产品示例是Oracle Business Intelligence,它部署在Oracle WebLogic上。

    可以将这些gadget链与CVE-2020-2950 / ZDI-20-505结合使用,该工具由GreenDog的研究人员报告给ZDI,以通过HTTP实现远程代码执行。

    此漏洞位于BIRemotingServlet中,会侦听TCP端口7780,并且不需要任何身份验证:

          BIRemotingServlet     oracle.bi.nanserver.fwk.servlet.as.BIRemotingServlet     1        BIRemotingServelet     /messagebroker/as/*        BIRemotingServlet     /messagebroker/cs/*

    BIRemotingServlet 使用AMF(操作消息格式)与客户端进行通信。

     protected void handleRequest(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) 
      throws ServletException, IOException {
      
       [...Truncated...]
                  RemotingSvs remotingSvs = BISvsManagerBase.getRemotingSvs(); <----------------------------------------------------
           remotingSvs.processCall(); <--------------------------------------------------------------------------------------------
           setContentType(paramHttpServletResponse, OutputForm.AMF3);
           paramHttpServletResponse.setContentLength(byteArrayOutputStream.size());
           byteArrayOutputStream.writeTo(paramHttpServletResponse.getOutputStream());
           paramHttpServletResponse.flushBuffer();
         }
       public int processCall() throws BISvsException {
        [...Truncated...]
            AMF3Packet aMF3Packet1 = deserializePacket(dataInputStream); <------------------------------------------------------------
           if (logger.isLoggable(Level.FINE)) {
             logger.fine("De-serialized request packet: " + aMF3Packet1.toString());
           }
       [...Truncated...]
       }
       oracle.bi.nanserver.fwk.util.remoting.RemotingSvsImpl.class
        public AMF3Packet deserializePacket(DataInputStream paramDataInputStream) throws BISvsException {
         try {
           AMFObjectInput aMFObjectInput = getAMF3DeSerializer(paramDataInputStream); <------------------------------------------------
           LegacyObjectInput legacyObjectInput = new LegacyObjectInput(paramDataInputStream, aMFObjectInput);
           AMF3Packet aMF3Packet = new AMF3Packet();
           aMF3Packet.deserialize(legacyObjectInput); <----------------------------------------------------------------------------------
           return aMF3Packet;
         }
         catch (Exception exception) {
           handleException(exception);
                  return null;
         } 
       }
       public AMFObjectInput getAMF3DeSerializer(DataInputStream paramDataInputStream) throws BISvsException {
         try {
           Class clazz = (Class)amf3DeSerializerClass.get();
           if (clazz == null) {
             String str = (String)BISvsManagerBase.getContextSvs().getValue("amf3DeSerializer");
                      if (str == null || str.trim().length() == 0) {
               clazz = oracle.bi.nanserver.fwk.util.amf.AMF3ObjectInput.class; <--------------------------------------------------------
               amf3DeSerializerClass.compareAndSet(null, clazz);
               logger.info("Using default AMF3 De-Serializer");
       [...Truncated...]
       }

    如图所示,当对AMF数据包进行反序列化时,可以通过调用AMF3ObjectInput来重建任意对象readComplexObject()。

     protected Object readComplexObject(GenericTypeInfo paramGenericTypeInfo) 
       throws ClassNotFoundException, IOException {
         try {
           int i = readAMF3IntegerVal();
           if ((i & true) == 0) {
             return getVisitedObject(i >> 1);
           }
           ClassMetadata classMetadata = readClassMetadata(i);
                   String str = this.proxySvs.getConcreteClassName(classMetadata.name);
           if (str == null) {
             str = classMetadata.name;
           }
            //  CVE-2020-2950 patch
           //if (isBlacklisted(str))
           //{
           //  throw new SecurityException("Unsupport class type:" + str);
           //}
                  Class clazz = Class.forName(str);
           ClassProxy classProxy = this.proxySvs.getProxy(clazz);
                   Object object1 = classProxy.newInstance(clazz);
                   int j = this.objectRefList.size();
           markObjectVisited(object1);
                   if (classMetadata.externalizable) {
                      if (paramGenericTypeInfo != null) {
               classProxy.readExternal(new GenericResult(object1, paramGenericTypeInfo), this);
             } else {
               classProxy.readExternal(object1, this);
             }
                  }
           else if (clazz == oracle.bi.nanserver.fwk.util.remoting.messages.RemotingMessage.class) {
             populateRemotingMessage(object1, classMetadata, classProxy);
           } else {
                      String[] arrayOfString = classMetadata.getFieldNames();
             Object[] arrayOfObject = new Object[arrayOfString.length];
             for (byte b = 0; b < arrayOfString.length; b++) {
               arrayOfObject[b] = readObject();
             }
             this.proxySvs.setFieldValues(object1, arrayOfString, arrayOfObject, classProxy);
                      if (classMetadata.dynamic) {
               while (true) {
                 String str1 = readAMF3String();
                 if (str1 == null || str1.length() == 0) {
                   break;
                 }
                 Object object = readObject();
                 this.proxySvs.setFieldValue(object1, str1, object, classProxy);
               } 
             }
           }

    在此示例中,UnicastRef重构了一个对象,从而导致对远程对象的服务器端分布式垃圾回收器的调用,从而使我们能够响应任意的序列化对象。如上所述响应gadget链之一会产生RCE。

    有关在Java AMF实现中利用Java反序列化的更多详细信息,请参阅Code White的这篇文章。gadget链已添加到ysoserial中,并且使用JRMP侦听器来利用此漏洞。

     https://codewhitesec.blogspot.com/2017/04/amf.html
     https://github.com/frohoff/ysoserial

    以下视频演示了这一操作:

     https://www.youtube.com/embed/h1c0sfVZNO8

    0x05  分析总结

    有关Java反序列化漏洞的更多详细信息,请参阅Moritz Bechler的白皮书。Oracle的博客没有说明攻击的广泛性,但是其指导很明确:需要立即打补丁。他们还提供有关如何限制Oracle WebLogic Server的T3 / T3S协议流量的指南。Oracle补丁程序的下一个版本计划于2020年7月14日发布,我们将持续关注在该更新之后还剩下多少反序列化漏洞。

     https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
     https://blogs.oracle.com/security/apply-april-2020-cpu

     

     

    展开全文

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 4,959
精华内容 1,983
关键字:

weblogic最新补丁