weblogic反序列化漏洞补丁

郑全

Applies to:   Oracle Fusion Middleware
Oracle WebLogic Server - Version 10.3.6 to 12.2.1.0.0
Information in this document applies to any platform.
This applies to any product deployment using Oracle WebLogic Server


PurposeThis document defines minimum releases and patches for the Oracle WebLogic Server component of Oracle Fusion Middleware to address the vulnerability described in the Oracle Security Alert for CVE-2015-4852:  http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
DetailsIt is important to read the Oracle Security Alert before reading this document. The table below defines minimum releases and patches for Oracle WebLogic Server.

• See also Note 2076338.1 CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware
  
  • • • • January 2016 CPU Update:
          
          Beginning January 2016, CVE-2015-4852 fixes are now included in the below Patch Set Update (PSU) releases and higher: 12.2.1.0.1
          12.1.3.0.6
          12.1.2.0.8
          10.3.6.0.13
          
          To obtain the latest cumulative PSU, refer to the Critical Patch Update program at http://www.oracle.com/technetwork/topics/security/alerts-086861.html . Review the latest Advisory and click the "Fusion Middleware" link within to obtain the latest cumulative Patch Availability Document.
        • Important: If you have a version older than 10.3.6 or 12.1.2, you must upgrade as per the Error Correction Policy: Note 950131.1, "Error Correction Support Dates for Oracle WebLogic Server".
        • The initial patching requirements from November 2015 are listed below with patch links for all versions under error correction support:
          
          
          
          
        
        
      
      
    
    

WLS Release	Required Patches
12.2.1.0	12.2.1.0.0 Patch 22248372 for CVE-2015-4852
12.1.3.0	PSU 12.1.3.0.5 (Patch 21370953) + 12.1.3.0.5 Patch 22248372 for CVE-2015-4852
12.1.2.0	PSU 12.1.2.0.7 (Patch 21364493) + 12.1.2.0.7 Patch 22248372 for CVE-2015-4852
10.3.6.0	PSU 10.3.6.0.12 (Patch 20780171), Smart Update Patch ID: EJUW) + 10.3.6.0.12 Patch 22248372 for CVE-2015-4852

• • Patches are not password protected for versions listed above. Older versions are now expired.
  • Due to issues with linking to the standard My Oracle Support patch download page, the above links go to an alternative updates.oracle.com location. If you have firewall rules on your network, you should adjust accordingly for the links to work.
  • You may also access these patches by going to the "Patches and Updates" tab, perform a search on the above numbers and select your version.
    
  
  

ReferencesNOTE:2076338.1 - CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware
NOTE:1074055.1 - Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products