SlideShare a Scribd company logo

Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_Updates.pdf

I
Ivan Hui

This document provides post-installation instructions and considerations for applying Oracle WebLogic Server Patch Set Updates (PSUs). It includes instructions for releases 12.2.1.4, 12.2.1.3, 12.1.3.0, and 10.3.6. It also provides information on minimum and recommended Java Development Kit (JDK) update levels for different WebLogic Server releases and requirements for using new JDK levels. The document advises restarting WebLogic servers after a PSU and checking for specific security, configuration, or compatibility issues.

Internet
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Oracle® WebLogic Server Post-Install Actions and Considerations for Oracle WebLogic Server Patch Set Updates F41372-07 January 2022
Oracle WebLogic Server Post-Install Actions and Considerations for Oracle WebLogic Server Patch Set Updates, F41372-07 Copyright © 2021, 2022, Oracle and/or its affiliates. Primary Author: Oracle Coporation This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle, Java, and MySQL are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents 1 About this Document 2 Readme Post-Installation Instructions Instructions for Release 12.2.1.4 2-1 Instructions for Release 12.2.1.3 2-1 Instructions for Release 12.1.3.0 2-2 Instructions for Release 10.3.6 2-2 Java Upgrade Information 2-4 Minimum and Recommended JDK Update Levels for WebLogic Server PSUs 2-4 Requirements for New JDK Levels 2-4 3 Security Advice and Considerations WebLogic Server PSUs 3-1 PSU for January 2022 3-1 PSU for October 2021 3-1 WebLogic Server Console Provides Help for Specific Security Warnings 3-2 Enable Allowlist Using the WebLogic Server Administration Console 3-2 Requirement to Install the Coherence Patch 3-2 PSU for July 2021 3-2 Security Validation in the WebLogic Server Administration Console 3-3 Applying Patches with the Stack Patch Bundle (SPB) 3-3 Certificate Expiry Notifications 3-3 Allowlist for JEP 290 Filtering 3-4 Dynamic Blocklist Distribution 3-4 CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection 3-4 Additional Classpath Servlet Changes 3-4 Apache ANT Update for 12.1.3 3-5 PSU for April 2021 3-5 Upgrading the Apache Ant Update to 1.9.15 3-5 Classpath Servlet Changes 3-5 Updating Blocklist Filters Dynamically 3-7 iii
Disabling Anonymous RMI T3 and IIOP Requests 3-7 UNC Paths Not Supported in WebLogic Server Administration Console 3-8 Documentation Accessibility 3-8 iv
1 About this Document You can use this document to learn about important information such as changed features, configurations required, or any other post-installation tasks that are relevant after you have applied the WebLogic Server Patch Set Update (PSU) for 14.1.1.0, 12.2.1.4, 12.2.1.3, 12.1.3, and 10.3.6. Each PSU is a single, cumulative, quarterly well-tested patch that includes Critical Patch Update (CPU) content and other patches that are considered critical for customers. Note: Support for Oracle WebLogic Server Release 10.3.6.0 has expired. See the Oracle Lifetime Support Policy document and the list of final CPUs scheduled for October 2021 in the Critical Patch Update (CPU) Program Oct 2021 Patch Availability Document (PAD). You can download this document from Doc 2764668.1. Until April 2021, the WebLogic Server PSU content has been limited to security fixes, and optionally, a restricted set of high-impact fixes, which have been proven in customer environments. For updates on 12.2.1.3, 12.2.1.4, and 14.1.1.0 WebLogic Server PSUs, see Overview of PSUs section in Patch Set Update (PSU) Administration Guide for Oracle WebLogic Server (WLS) (Doc ID 1306505.1). 1-1
2 Readme Post-Installation Instructions The readme post-installation instructions are cumulative and are included in this document starting from the April 2021 PSU. Going forward, information such as these will be consolidated into this document. This chapter consists of the following sections: • Instructions for Release 12.2.1.4 • Instructions for Release 12.2.1.3 • Instructions for Release 12.1.3.0 • Instructions for Release 10.3.6 • Java Upgrade Information Instructions for Release 12.2.1.4 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU You can restrict the privileges associated with the WebLogic Server database schemas created by using the Repository Creation Utility (RCU). See Doc ID 2434115.1. Instructions for Release 12.2.1.3 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU The fix for bug 26929163 updates the runtime components for the WebLogic Server plug-in for the Repository Creation Utility (RCU) and the Upgrade Assistant (UA) tools. The fix prevents any future configurations or upgrades from assigning the ANY privilege to the WebLogic Server schema owners. However, the patch does not affect the schemas that have already been installed or upgraded to the correct schema version. If you want to remove the 'ANY' privileges that have been assigned to the WebLogic Server schema owners for existing installations, run the script located at: $ORACLE_HOME/oracle_common/common/sql/wlsservices/sql/cleanup.sql 2-1
You have to run cleanup.sql as the DBA user and provide the WLS schema owner names. For example, if the WLS schema owners are DEV1_WLS and DEV1_WLS_RUNTIME, run the script as follows: sqlplus <dba-connect-info> cleanup.sql DEV1_WLS DEV1_WLS_RUNTIME For instructions to remove 'ANY' privileges from the WebLogic Server 12c database schemas created using RCU, see Doc ID 2434115.1. Instructions for Release 12.1.3.0 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU To remove 'ANY' privileges from the WebLogic Server 12c database schemas created using RCU, see Doc ID 2434115.1. For instructions to upgrade the Oracle JDBC and UCP drivers bundled with WebLogic Server 10.3.6 and 12c releases, see Doc ID 1970437.1. Instructions for Release 10.3.6 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU The post-installation instructions for April 2021 PSU include the following: • Restart All WebLogic Servers The following command provides a simple method to verify the successful installation of a WebLogic Server PSU: $ . $WL_HOME/server/bin/setWLSEnv.sh $ java weblogic.version Example In the following output, 10.3.6.0.210420 is the installed WebLogic Server PSU. WebLogic Server 10.3.6.0.210420 PSU Patch for BUG32403651 • About Providing Explicit Permissions to ANT Files Post Installation After installing the WebLogic Server PSU for April 2021 or later on UNIX/Linux, the ANT executable permissions are no longer set on the ANT scripts. You cannot set the permissions through the PSU patching tool. The permissions should be set as Chapter 2 Instructions for Release 12.1.3.0 2-2
a post-installation step. If you are using ANT directly, run the following commands to set the required executable permissions: cd $MW_HOME/modules/org.apache.ant_1.7.1/bin chmod 750 antRun ant ant.bat ant.cmd antenv.cmd antRun.bat antRun.pl No action is necessary if you are not using ANT. The permission does not cause any change in the functionality of WebLogic Server. For information about the Apache ANT update, see Upgrading the Apache Ant Update to 1.9.15. • About the weblogic.policy file * If you are using a Java security manager (for example, -Djava.security.manager to start WebLogic Server), ensure that the code base in your policy file points to the location where the patches are installed. The policy file is specified by - Djava.security.policy at server start up. By default, this is the weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory. Example This is an example of what you should add to the weblogic.policy file for the installed patches: grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; }; The default weblogic.policy file is a sample. If you decide to use this file, you must modify it. For more information, see Using Java EE Security to Protect WebLogic Resources. • About Fusion Middleware 11g installations Using PSUs You may see the following error after you start the Administration Server: Unable to Read Logging Configuration from File 'logging.xml' exception: oracle.core.ojdl.logging.LoggingConfigurationException: ODL-52050 Or <BEA-149231> <Unable to set the activation state to true for the application 'SHAREDSERVICES [Version=11.1.2.0]' For a resolution, see Doc ID 2604499.1. If your deployed application uses Java deserialization, you may need to customize the WebLogic JEP 290 default filter. See the Restrict incoming serialized Java objects row in the Securing Network Connections table. For instructions to upgrade the Oracle JDBC and UCP drivers bundled with WebLogic Server 10.3.6 and 12c releases, see Doc ID 1970437.1. Chapter 2 Instructions for Release 10.3.6 2-3
Java Upgrade Information This section lists the recommendations that accompany the quaterly WebLogic Server PSUs. This section includes the following topics: • Minimum and Recommended JDK Update Levels for WebLogic Server PSUs • Requirements for New JDK Levels Minimum and Recommended JDK Update Levels for WebLogic Server PSUs The following table lists the release-wise, minimum and recommended JDK update levels for the WebLogic Server January 2022 PSU release: WebLogic Server Release Minimum JDK Update Level Recommended JDK Update Level 14.1.1.0 Java SE 8 update 251 and Java SE 11.0.6 See Doc ID 2421487.1 and Oracle WebLogic Server (14.1.1.0.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). OR Java SE 11.0.14 or later for Linux, Windows, and Solaris (Patch 27838191). 12.2.1.4 Java SE 8 update 211 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.2.1.4.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 12.2.1.3 Java SE 8 update 191 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.2.1.3.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 12.1.3 Java SE 7 update 201 and Java SE 8 update 191 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.1.3.0.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 10.3.6 Java SE 7 update 201 See Doc ID 2421487.1 and Oracle Fusion Middleware 11g Release 1 (11.1.1.x) Certification Matrix. Java SE 7 Update 331 or later for Linux, Windows, and Solaris (Patch 13079846). Requirements for New JDK Levels TLS 1.0 and 1.1 cryptographic protocols have been disabled by default as of the JDK updates listed below: • JDK 7u301 Chapter 2 Java Upgrade Information 2-4
• JDK 8u291 • JDK 11.0.11 If you are using the JSSE provider from these JDK versions in your WebLogic Server configuration, TLS 1.0 and 1.1 protocols will be disabled by default. As a result of this update, TLS or SSL (or both) interoperability issues are possible between updated WebLogic Server configurations with: • Older systems that do not support TLS 1.2 (only support up to TLS 1.1 or earlier). If you must enable interoperation over TLS with systems, you will need to re-enable the less secure TLSv1 or TLSv1.1 protocols. • WebLogic Server 10.3.6 installations using Certicom SSL – These systems should be reconfigured to use JSSE as provided in JDK 7 with the updated TLS protocol support. • WebLogic Server 10.3.6 installations on JDK 6u121 or prior versions – JDK 6 is EOL and WebLogic Server 10.3.6 is not supported on JDK 6 at this time. WebLogic Server 10.3.6 systems running on JDK 6 should be upgraded to use JSSE SSL with JDK 7. • Oracle supported Web Servers or plug-ins that do not support TLS 1.2 (only support up to TLS 1.1 or earlier). You should upgrade the plug-in or the Web Server or both to: – OHS 11.1.1.9 or later versions. – Apache 2.4 and WebLogic Server 12.2.1.4 plug-ins. – For IIS, see Doc ID 2101695.1. Verify that WebLogic Server and the upgraded Web Servers are certified in the appropriate certification matrices. See Oracle Fusion Middleware Supported System Configurations. You can re-enable TLS 1.0 and 1.1 protocols by removing TLSv1 or TLSv1.1 or both from the jdk.tls.disabledAlgorithms security property available in the java.security configuration file. Chapter 2 Java Upgrade Information 2-5
3 Security Advice and Considerations This document provides information about the required security advice and other considerations/recommendations for the Oracle WebLogic Server PSUs released every quarter, starting from the April 2021 PSU. This chapter includes the following section: WebLogic Server PSUs WebLogic Server PSUs WebLogic Server PSUs follow a quarterly schedule. Starting from April 2021, this document will be published along with the release of the WebLogic Server PSUs, specifically on the Tuesday closest to the 17th of January, April, July, and October. Note: Ensure that you follow the latest recommendations as documented in the Patch Availability Document (PAD) and apply all the patches that are applicable to the WebLogic Server installation. See the cumulative PAD by visiting the latest advisory at https://www.oracle.com/security-alerts/. This section includes the following topics: • PSU for January 2022 • PSU for October 2021 • PSU for July 2021 • PSU for April 2021 PSU for January 2022 There are no new security advisories or considerations for this release of the WebLogic Server PSU. PSU for October 2021 This section includes the following topics: • WebLogic Server Console Provides Help for Specific Security Warnings • Enable Allowlist Using the WebLogic Server Administration Console • Requirement to Install the Coherence Patch 3-1
WebLogic Server Console Provides Help for Specific Security Warnings This feature applies to WebLogic Server releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. With the October PSU, WebLogic Server Administration Console provides a Help button enabling users to access relevant content/information (depending on the version of WebLogic Server used) about disabling the following security attributes (if set to 'true'): • Remote anonymous RMI access via IIOP • Remote anonymous RMI access via T3 On the WebLogic Server Administration Console (in the Security>General tab), you are alerted if these attributes are set to true. With a click of the Help button, you gain access to instructions for clearing the check boxes and disabling these requests. The instructions are relevant to the version of WebLogic Server you are using. For example, if you are using WebLogic Server 14.1.1.0, Help will point to Disable Remote Anonymous RMI T3 and IIOP Requests in the Securing a Production Environment for Oracle WebLogic Server guide for 14.1.1.0. Enable Allowlist Using the WebLogic Server Administration Console This feature is available in WebLogic Server releases 12.2.1.4 and 14.1.1.0. With the October PSU, you can now configure an allowlist for a WebLogic Server domain using the WebLogic Server Administration Console. Allowlists are configuration files using which WebLogic Server and customers can define a list of the acceptable classes and packages that are allowed to be deserialized, while blocking all other classes. By using the Allowlist tab, you can now define the following attributes for the allowlist: • Violation action to configure whether WebLogic Server domain should use allowlists or blocklists. • Polling interval (in seconds) at which the directory containing the allowlist configuration file should be polled. • Whether or not recording should be enabled for the allowlist. For more information about using the Allowlist tab, see Using an Allowlist for JEP 290 Filtering in Administering Security for Oracle WebLogic Server. Requirement to Install the Coherence Patch A security vulnerability (CVE-2021-35617) is seen in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container) in releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. For a resolution of this CVE, you should install both the WebLogic Server PSU and the Coherence patch. See the quarterly Critical Patch Update Patch Availability Document for the list of patches. PSU for July 2021 This section includes the following topics: Chapter 3 WebLogic Server PSUs 3-2
• Security Validation in the WebLogic Server Administration Console • Applying Patches with the Stack Patch Bundle (SPB) • Certificate Expiry Notifications • Allowlist for JEP 290 Filtering • Dynamic Blocklist Distribution • CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection • Additional Classpath Servlet Changes • Apache ANT Update for 12.1.3 Security Validation in the WebLogic Server Administration Console The July 2021 PSU provides a new feature that enables security validation in the WebLogic Server Administration Console. The console performs the role of a security checker by validating the security configuration settings of your domain against a set of security configuration guidelines recommended by Oracle. You can also configure the security configuration settings on the SecureMode MBean by using the WebLogic Scripting Tool (WLST). During the validation process, if the WebLogic Administration Console detects any configuration settings that do not conform to the recommended guidelines, it logs a warning message in the Security Warnings Report. This report is displayed in the console, at start up. The reported issues should then be addressed by the WebLogic administrators for the domain. This feature is available for WebLogic Server 14.1.1.0, 12.2.1.4, and 12.2.1.3 releases. For more information about the validation process and the security checks, see the following sections in the Securing a Production Environment for Oracle WebLogic Server guide for your release: • Review Potential Security Issues for 14.1.1.0 • Review Potential Security Issues for 12.2.1.4 • Review Potential Security Issues for 12.2.1.3 Applying Patches with the Stack Patch Bundle (SPB) The July PSU introduces a new Stack Patch Bundle Automation Tool (SPBAT) for Linux, Solaris and Windows users. The SPBAT tool helps perform the prerequisite checks before applying the patches. For more information, see Doc ID 2764636.1. This tool is available for releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. Certificate Expiry Notifications The July 2021 PSU provides a feature that enables WebLogic Server to automatically detect SSL certificates that are about to expire. The system administrators are informed about the expiring certificates with the help of notifications in the Security Warnings Report displayed in the WebLogic Server Administration Console, or by an email. The notifications are sent based on a configurable time period. WebLogic Server checks these certificates once at start up, and then periodically at predefined intervals. Chapter 3 WebLogic Server PSUs 3-3
This feature helps timely renewal of the expiring certificates and prevents production downtime at customer locations. This feature is available for WebLogic Server 14.1.1.0, 12.2.1.4, and 12.2.1.3 releases. For more information about setting reminders to notify customers, see the following sections in the Administering Security for Oracle WebLogic Server guide for your release: • Setting Certificate Expiry Notifications for 14.1.1.0 • Setting Certificate Expiry Notifications in 12.2.1.4 for 12.2.1.4 Allowlist for JEP 290 Filtering The July 2021 PSU adds support for allowlists in JEP 290 filtering. When using the allowlist model, WebLogic Server and the customer define a list of the acceptable classes and packages that are allowed to be deserialized, and blocks all other classes. With the blocklist model, WebLogic Server defines a set of well-known classes and packages that are vulnerable and blocks them from being deserialized, while all other classes are deserialized. The allowlist model is more secure because it only allows deserialization of classes that are required by WebLogic Server and customer applications. This feature is available for WebLogic Server release 14.1.1.0. For more information about JEP 290, see Using JEP 290 in Oracle WebLogic Server. Dynamic Blocklist Distribution With the April 2021 PSU, WebLogic Server detected, by default, blocklist files placed in the DOMAIN_HOME/config/security directory. With the July 2021 PSU, WebLogic Server will additionally detect, by default, blocklist files placed in the WebLogic Server Oracle Home in the oracle_common/common/jep290 directory. Users can continue to specify other directories where WebLogic Server may detect blocklist files. Blocklist files may be placed in these directories while WebLogic Server servers are running, and blocklist filters will be updated without requiring a server restart. CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection The CVE-2018-3149 JNDI Injection vulnerability enables unethical attackers to compromise Java SE and other products. This vulnerability exists in JDK version 7u201 or earlier and JDK version 8u191 or earlier. With the July 2021 PSU, WebLogic Server displays a warning in the WebLogic Server Administration Console and at start up if you run the server with a JDK version 8u181/7u191 or earlier. You must install JDK versions 7u201 or 8u191 (or later) to prevent the warning. Additional Classpath Servlet Changes The April 2021 PSU introduced changes to the classpath servlet to enable secure mode by default. In the July PSU, the classpath servlet has updated the list of classes allowed from well known packages required for JDBC and JMS functionality. If you encounter the Chapter 3 WebLogic Server PSUs 3-4
ClassNotFoundException errors in the July PSU, follow the instructions provided in the April 2021 PSU topic to resolve issues in the RMI clients. See Classpath Servlet Changes. Apache ANT Update for 12.1.3 In the April 2021 PSU, the installation of the Apache ANT update 1.9.15 was available only for release 10.3.6. With the July 2021 PSU, this support extends to release 12.1.3. The 1.9.15 version of ANT will be installed in a new versioned directory: MW_HOME/modules/ org.apache.ant_1.9.15/. For the April PSU update, see Upgrading the Apache Ant Update to 1.9.15. PSU for April 2021 This section includes the following topics: • Upgrading the Apache Ant Update to 1.9.15 • Classpath Servlet Changes • Updating Blocklist Filters Dynamically • Disabling Anonymous RMI T3 and IIOP Requests • UNC Paths Not Supported in WebLogic Server Administration Console • #unique_39 Upgrading the Apache Ant Update to 1.9.15 Note: This upgrade applies to WebLogic Server 10.3.6 only. The April 2021 PSU packages the new Apache Ant version 1.9.15. The current version is 1.7.1. The version of Apache Ant installed under the existing ANT_HOME, MW_HOME/ modules/org.apache.ant_1.7.1 will be upgraded to 1.9.15. The 1.9.15 version of Ant will be installed under the existing ANT_HOME, MW_HOME/modules/ org.apache.ant_1.7.1. The same ANT_HOME home is used to ensure backward compatibility. For a comprehensive listing of the new features in Apache Ant version 1.9.15, see MW_HOME/modules/org.apache.ant_1.7.1/WHATSNEW. For instructions about setting permissions to the ANT files post Installation of the PSU, see About Providing Explicit Permissions to ANT Files Post Installation. Classpath Servlet Changes In the April 2021 PSU, the default setting of the WebLogic ClasspathServletSecureModeEnabled attribute in the ServerTemplateMBean has changed from false to true. Setting the ClasspathServletSecureModeEnabled attribute totrue enables secure mode by default and restricts access to several file types when using the bea_wls_internal web application. Chapter 3 WebLogic Server PSUs 3-5
The bea_wls_internal web application that is deployed by default through WebLogic directly downloads file types such as .jar, .war, .class, .dtd, .ear , .rar and so on, into a subdirectory of the WebLogic domain. If secure mode is enabled, the Classpath Servlet serves only class files from well known packages required for JDBC and JMS functionality. If your RMI clients encounter ClassNotFoundException issues after applying the April 2021 PSU, then your clients may not have the required classes present on the client classpath and may be inadvertently relying on the Classpath Servlet's remote class loading capability. To resolve any ClassNotFoundException issues in your RMI clients, perform one of the following steps: • Ensure that the client classpath contains the classes required by the EJB and RMI objects that are used by the client. Oracle recommends this alternative for resolving any ClassNotFoundException errors. The Classpath Servlet will log any classes that are being downloaded from the server and you can ensure they are included in the RMI client classpath. For more information about the downloaded class information logged by the Classpath Servlet, see Logging by the Classpath Servlet. • Add any required classes or packages to the set of classes that are allowed to be downloaded by the Classpath Servlet. To perform this step, define the following system property when starting the server: ./startWebLogic.sh - Dweblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode="com/ mycompany/mypackage1/;com/mycompany/mypackage2/myclass1/;myapp1@/" • Change the default value of the ClasspathServletSecureModeEnabled attribute to false. This setting will disable secure mode and revert to the prior behavior. You can use WLST to change the default for each server as follows: edit() startEdit() cd("Servers/myserver") cmo.setClasspathServletSecureModeEnabled(false) activate() If running on WebLogic Server 12.1.3 or lower, then the ClasspathServletSecureModeEnabled attribute does not exist. For all versions of WLS, define the following system property when starting the server to disable the secure mode: ./startWebLogic.sh - Dweblogic.servlet.ClasspathServlet.disableSecureMode=true Chapter 3 WebLogic Server PSUs 3-6
Note: You should allow classes to be downloaded only if they do not contain sensitive information. In addition, you should ensure that you have configured your firewall to prevent access to the internal servlets (bea_wls_internal). See Configure Firewall to Prevent Access to Internal Applications in Securing a Production Environment for Oracle WebLogic Server. Logging by the Classpath Servlet If secure mode is enabled, the Classpath Servlet will log any classes that fail to be downloaded. You can look in the server log for any log messages with id 101413. The error message appears as follows: The {0} file is a restricted file and can not be downloaded via the Classpath Servlet. Ensure this file is in the client classpath or if this file should be allowed to be downloaded, specify the package name or class name in the - Dweblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode system property when starting the WebLogic Server. Use the {0} filename to determine which classes should be added to the RMI client classpath or which packages or class names should be added to the weblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode system property. Updating Blocklist Filters Dynamically The April 2021 PSU adds support for dynamic blocklists. Dynamic blocklists provide the ability to update blocklist filters by creating a configuration file that can be updated or replaced while the server is running. For more information, see Using a Dynamic Blocklist Configuration File in Administering Security for Oracle WebLogic Server. At the time of the April 2021 PSU delivery, there are no blocklist files that Oracle recommends configuring on user systems, and no further action is required. However, Oracle may recommend or encourage configuration of blocklist files on user systems in the future. Disabling Anonymous RMI T3 and IIOP Requests Oracle recommends completely restricting external access to WebLogic Server systems using T3 or IIOP protocols, if possible. If external access by T3 or IIOP is required, Oracle recommends restricting access to trusted client IP addresses and disabling anonymous T3 and IIOP requests. For more information, see: • Restricting T3 or IIOP protocols - Doc ID 2665794.1. • Disable Remote Anonymous RMI T3 and IIOP Requests in Securing a Production Environment for Oracle WebLogic Server. Chapter 3 WebLogic Server PSUs 3-7
UNC Paths Not Supported in WebLogic Server Administration Console UNC paths are no longer supported in the WebLogic Server Administration Console. Prohibiting the use of UNC paths prevents authenticated users' Windows credentials from being compromised by remote attacks. The following error is displayed when you specify a UNC path in any page of the WebLogic Server Administration Console: UNC path is not supported Specify a different path to proceed. Documentation Accessibility For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup? ctx=acc&id=docacc. Access to Oracle Support Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/ lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired. Chapter 3 Documentation Accessibility 3-8

More Related Content

Similar to Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_Updates.pdf (20)

PPTX
How WebLogic 12c Can Boost Your Productivity
Bruno Borges
 
PDF
Changes in WebLogic 12.1.3 Every Administrator Must Know
Bruno Borges
 
PDF
Changes in weblogic12c_every_administrator_must_know-140812141929
Demodx Demodxz
 
PDF
WebLogic Scripting Tool
ALI ANWAR, OCP®
 
DOCX
Weblogic 12c Graphical Mode installation steps in Windows
webservicesm
 
DOCX
12c weblogic installation steps for Windows
Cognizant
 
PDF
Oracle database 12c client installation guide 6
bupbechanhgmail
 
PDF
Oracle database 12c client installation guide 3
bupbechanhgmail
 
PDF
WebLogic 12c & WebLogic Mgmt Pack
DLT Solutions
 
PDF
Weblogic server administration
Amit Sharma
 
PDF
Weblogic server administration
bispsolutions
 
DOCX
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
ginniapps
 
PPT
WLS12c_NewFeatures_Basics
Sudhesh Pnair
 
PDF
oracle guradian instalacion
cegl747
 
PDF
Oracle database 12c client installation guide 4
bupbechanhgmail
 
PPT
Oracle Weblogic for EBS and obiee (R12.2)
Berry Clemens
 
PPTX
Weblogic
sudeeporcl
 
PDF
Oracle database 12c client installation guide 5
bupbechanhgmail
 
PPTX
Weblogic application server
Anuj Tomar
 
PPT
Ugf9796 weblogic for ebs and obiee
Berry Clemens
 
How WebLogic 12c Can Boost Your Productivity
Bruno Borges
 
Changes in WebLogic 12.1.3 Every Administrator Must Know
Bruno Borges
 
Changes in weblogic12c_every_administrator_must_know-140812141929
Demodx Demodxz
 
WebLogic Scripting Tool
ALI ANWAR, OCP®
 
Weblogic 12c Graphical Mode installation steps in Windows
webservicesm
 
12c weblogic installation steps for Windows
Cognizant
 
Oracle database 12c client installation guide 6
bupbechanhgmail
 
Oracle database 12c client installation guide 3
bupbechanhgmail
 
WebLogic 12c & WebLogic Mgmt Pack
DLT Solutions
 
Weblogic server administration
Amit Sharma
 
Weblogic server administration
bispsolutions
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
ginniapps
 
WLS12c_NewFeatures_Basics
Sudhesh Pnair
 
oracle guradian instalacion
cegl747
 
Oracle database 12c client installation guide 4
bupbechanhgmail
 
Oracle Weblogic for EBS and obiee (R12.2)
Berry Clemens
 
Weblogic
sudeeporcl
 
Oracle database 12c client installation guide 5
bupbechanhgmail
 
Weblogic application server
Anuj Tomar
 
Ugf9796 weblogic for ebs and obiee
Berry Clemens
 

Recently uploaded (20)

PDF
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
PPTX
Template Timeplan & Roadmap Product.pptx
ImeldaYulistya
 
PPTX
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
PDF
AI_MOD_1.pdf artificial intelligence notes
shreyarrce
 
PPTX
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
PDF
DevOps Design for different deployment options
henrymails
 
PPTX
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
PPTX
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
PDF
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
PPTX
一比一原版(LaTech毕业证)路易斯安那理工大学毕业证如何办理
Taqyea
 
PPTX
L1A Season 1 Guide made by A hegy Eng Grammar fixed
toszolder91
 
PPTX
Orchestrating things in Angular application
Peter Abraham
 
PPTX
西班牙武康大学毕业证书{UCAMOfferUCAM成绩单水印}原版制作
Taqyea
 
PPTX
Cost_of_Quality_Presentation_Software_Engineering.pptx
farispalayi
 
PPTX
Random Presentation By Fuhran Khalil uio
maniieiish
 
PPT
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
PPTX
一比一原版(SUNY-Albany毕业证)纽约州立大学奥尔巴尼分校毕业证如何办理
Taqyea
 
PPT
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
PDF
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
PPT
introductio to computers by arthur janry
RamananMuthukrishnan
 
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
Template Timeplan & Roadmap Product.pptx
ImeldaYulistya
 
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
AI_MOD_1.pdf artificial intelligence notes
shreyarrce
 
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
DevOps Design for different deployment options
henrymails
 
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
PM200.pptxghjgfhjghjghjghjghjghjghjghjghjghj
breadpaan921
 
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
一比一原版(LaTech毕业证)路易斯安那理工大学毕业证如何办理
Taqyea
 
L1A Season 1 Guide made by A hegy Eng Grammar fixed
toszolder91
 
Orchestrating things in Angular application
Peter Abraham
 
西班牙武康大学毕业证书{UCAMOfferUCAM成绩单水印}原版制作
Taqyea
 
Cost_of_Quality_Presentation_Software_Engineering.pptx
farispalayi
 
Random Presentation By Fuhran Khalil uio
maniieiish
 
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
一比一原版(SUNY-Albany毕业证)纽约州立大学奥尔巴尼分校毕业证如何办理
Taqyea
 
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
introductio to computers by arthur janry
RamananMuthukrishnan
 
Ad

Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_Updates.pdf

  • 1. Oracle® WebLogic Server Post-Install Actions and Considerations for Oracle WebLogic Server Patch Set Updates F41372-07 January 2022
  • 2. Oracle WebLogic Server Post-Install Actions and Considerations for Oracle WebLogic Server Patch Set Updates, F41372-07 Copyright © 2021, 2022, Oracle and/or its affiliates. Primary Author: Oracle Coporation This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle, Java, and MySQL are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
  • 3. Contents 1 About this Document 2 Readme Post-Installation Instructions Instructions for Release 12.2.1.4 2-1 Instructions for Release 12.2.1.3 2-1 Instructions for Release 12.1.3.0 2-2 Instructions for Release 10.3.6 2-2 Java Upgrade Information 2-4 Minimum and Recommended JDK Update Levels for WebLogic Server PSUs 2-4 Requirements for New JDK Levels 2-4 3 Security Advice and Considerations WebLogic Server PSUs 3-1 PSU for January 2022 3-1 PSU for October 2021 3-1 WebLogic Server Console Provides Help for Specific Security Warnings 3-2 Enable Allowlist Using the WebLogic Server Administration Console 3-2 Requirement to Install the Coherence Patch 3-2 PSU for July 2021 3-2 Security Validation in the WebLogic Server Administration Console 3-3 Applying Patches with the Stack Patch Bundle (SPB) 3-3 Certificate Expiry Notifications 3-3 Allowlist for JEP 290 Filtering 3-4 Dynamic Blocklist Distribution 3-4 CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection 3-4 Additional Classpath Servlet Changes 3-4 Apache ANT Update for 12.1.3 3-5 PSU for April 2021 3-5 Upgrading the Apache Ant Update to 1.9.15 3-5 Classpath Servlet Changes 3-5 Updating Blocklist Filters Dynamically 3-7 iii
  • 4. Disabling Anonymous RMI T3 and IIOP Requests 3-7 UNC Paths Not Supported in WebLogic Server Administration Console 3-8 Documentation Accessibility 3-8 iv
  • 5. 1 About this Document You can use this document to learn about important information such as changed features, configurations required, or any other post-installation tasks that are relevant after you have applied the WebLogic Server Patch Set Update (PSU) for 14.1.1.0, 12.2.1.4, 12.2.1.3, 12.1.3, and 10.3.6. Each PSU is a single, cumulative, quarterly well-tested patch that includes Critical Patch Update (CPU) content and other patches that are considered critical for customers. Note: Support for Oracle WebLogic Server Release 10.3.6.0 has expired. See the Oracle Lifetime Support Policy document and the list of final CPUs scheduled for October 2021 in the Critical Patch Update (CPU) Program Oct 2021 Patch Availability Document (PAD). You can download this document from Doc 2764668.1. Until April 2021, the WebLogic Server PSU content has been limited to security fixes, and optionally, a restricted set of high-impact fixes, which have been proven in customer environments. For updates on 12.2.1.3, 12.2.1.4, and 14.1.1.0 WebLogic Server PSUs, see Overview of PSUs section in Patch Set Update (PSU) Administration Guide for Oracle WebLogic Server (WLS) (Doc ID 1306505.1). 1-1
  • 6. 2 Readme Post-Installation Instructions The readme post-installation instructions are cumulative and are included in this document starting from the April 2021 PSU. Going forward, information such as these will be consolidated into this document. This chapter consists of the following sections: • Instructions for Release 12.2.1.4 • Instructions for Release 12.2.1.3 • Instructions for Release 12.1.3.0 • Instructions for Release 10.3.6 • Java Upgrade Information Instructions for Release 12.2.1.4 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU You can restrict the privileges associated with the WebLogic Server database schemas created by using the Repository Creation Utility (RCU). See Doc ID 2434115.1. Instructions for Release 12.2.1.3 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU The fix for bug 26929163 updates the runtime components for the WebLogic Server plug-in for the Repository Creation Utility (RCU) and the Upgrade Assistant (UA) tools. The fix prevents any future configurations or upgrades from assigning the ANY privilege to the WebLogic Server schema owners. However, the patch does not affect the schemas that have already been installed or upgraded to the correct schema version. If you want to remove the 'ANY' privileges that have been assigned to the WebLogic Server schema owners for existing installations, run the script located at: $ORACLE_HOME/oracle_common/common/sql/wlsservices/sql/cleanup.sql 2-1
  • 7. You have to run cleanup.sql as the DBA user and provide the WLS schema owner names. For example, if the WLS schema owners are DEV1_WLS and DEV1_WLS_RUNTIME, run the script as follows: sqlplus <dba-connect-info> cleanup.sql DEV1_WLS DEV1_WLS_RUNTIME For instructions to remove 'ANY' privileges from the WebLogic Server 12c database schemas created using RCU, see Doc ID 2434115.1. Instructions for Release 12.1.3.0 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU To remove 'ANY' privileges from the WebLogic Server 12c database schemas created using RCU, see Doc ID 2434115.1. For instructions to upgrade the Oracle JDBC and UCP drivers bundled with WebLogic Server 10.3.6 and 12c releases, see Doc ID 1970437.1. Instructions for Release 10.3.6 There are no new post-installation instructions for the July 2021 through the January 2022 releases of the WebLogic Server PSUs. Instructions for April 2021 PSU The post-installation instructions for April 2021 PSU include the following: • Restart All WebLogic Servers The following command provides a simple method to verify the successful installation of a WebLogic Server PSU: $ . $WL_HOME/server/bin/setWLSEnv.sh $ java weblogic.version Example In the following output, 10.3.6.0.210420 is the installed WebLogic Server PSU. WebLogic Server 10.3.6.0.210420 PSU Patch for BUG32403651 • About Providing Explicit Permissions to ANT Files Post Installation After installing the WebLogic Server PSU for April 2021 or later on UNIX/Linux, the ANT executable permissions are no longer set on the ANT scripts. You cannot set the permissions through the PSU patching tool. The permissions should be set as Chapter 2 Instructions for Release 12.1.3.0 2-2
  • 8. a post-installation step. If you are using ANT directly, run the following commands to set the required executable permissions: cd $MW_HOME/modules/org.apache.ant_1.7.1/bin chmod 750 antRun ant ant.bat ant.cmd antenv.cmd antRun.bat antRun.pl No action is necessary if you are not using ANT. The permission does not cause any change in the functionality of WebLogic Server. For information about the Apache ANT update, see Upgrading the Apache Ant Update to 1.9.15. • About the weblogic.policy file * If you are using a Java security manager (for example, -Djava.security.manager to start WebLogic Server), ensure that the code base in your policy file points to the location where the patches are installed. The policy file is specified by - Djava.security.policy at server start up. By default, this is the weblogic.policy file and resides in WL_HOME/server/lib, where WL_HOME is the WebLogic Server installation directory. Example This is an example of what you should add to the weblogic.policy file for the installed patches: grant codeBase "file:<path-to-WLS-patch-jars>/patch_wls1036/patch_jars/-" { permission java.security.AllPermission; }; The default weblogic.policy file is a sample. If you decide to use this file, you must modify it. For more information, see Using Java EE Security to Protect WebLogic Resources. • About Fusion Middleware 11g installations Using PSUs You may see the following error after you start the Administration Server: Unable to Read Logging Configuration from File 'logging.xml' exception: oracle.core.ojdl.logging.LoggingConfigurationException: ODL-52050 Or <BEA-149231> <Unable to set the activation state to true for the application 'SHAREDSERVICES [Version=11.1.2.0]' For a resolution, see Doc ID 2604499.1. If your deployed application uses Java deserialization, you may need to customize the WebLogic JEP 290 default filter. See the Restrict incoming serialized Java objects row in the Securing Network Connections table. For instructions to upgrade the Oracle JDBC and UCP drivers bundled with WebLogic Server 10.3.6 and 12c releases, see Doc ID 1970437.1. Chapter 2 Instructions for Release 10.3.6 2-3
  • 9. Java Upgrade Information This section lists the recommendations that accompany the quaterly WebLogic Server PSUs. This section includes the following topics: • Minimum and Recommended JDK Update Levels for WebLogic Server PSUs • Requirements for New JDK Levels Minimum and Recommended JDK Update Levels for WebLogic Server PSUs The following table lists the release-wise, minimum and recommended JDK update levels for the WebLogic Server January 2022 PSU release: WebLogic Server Release Minimum JDK Update Level Recommended JDK Update Level 14.1.1.0 Java SE 8 update 251 and Java SE 11.0.6 See Doc ID 2421487.1 and Oracle WebLogic Server (14.1.1.0.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). OR Java SE 11.0.14 or later for Linux, Windows, and Solaris (Patch 27838191). 12.2.1.4 Java SE 8 update 211 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.2.1.4.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 12.2.1.3 Java SE 8 update 191 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.2.1.3.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 12.1.3 Java SE 7 update 201 and Java SE 8 update 191 See Doc ID 2421487.1 and Oracle Fusion Middleware 12c (12.1.3.0.0) Certification Matrix. Java SE 8 Update 321 or later for Linux, Windows, and Solaris (Patch 18143322). 10.3.6 Java SE 7 update 201 See Doc ID 2421487.1 and Oracle Fusion Middleware 11g Release 1 (11.1.1.x) Certification Matrix. Java SE 7 Update 331 or later for Linux, Windows, and Solaris (Patch 13079846). Requirements for New JDK Levels TLS 1.0 and 1.1 cryptographic protocols have been disabled by default as of the JDK updates listed below: • JDK 7u301 Chapter 2 Java Upgrade Information 2-4
  • 10. • JDK 8u291 • JDK 11.0.11 If you are using the JSSE provider from these JDK versions in your WebLogic Server configuration, TLS 1.0 and 1.1 protocols will be disabled by default. As a result of this update, TLS or SSL (or both) interoperability issues are possible between updated WebLogic Server configurations with: • Older systems that do not support TLS 1.2 (only support up to TLS 1.1 or earlier). If you must enable interoperation over TLS with systems, you will need to re-enable the less secure TLSv1 or TLSv1.1 protocols. • WebLogic Server 10.3.6 installations using Certicom SSL – These systems should be reconfigured to use JSSE as provided in JDK 7 with the updated TLS protocol support. • WebLogic Server 10.3.6 installations on JDK 6u121 or prior versions – JDK 6 is EOL and WebLogic Server 10.3.6 is not supported on JDK 6 at this time. WebLogic Server 10.3.6 systems running on JDK 6 should be upgraded to use JSSE SSL with JDK 7. • Oracle supported Web Servers or plug-ins that do not support TLS 1.2 (only support up to TLS 1.1 or earlier). You should upgrade the plug-in or the Web Server or both to: – OHS 11.1.1.9 or later versions. – Apache 2.4 and WebLogic Server 12.2.1.4 plug-ins. – For IIS, see Doc ID 2101695.1. Verify that WebLogic Server and the upgraded Web Servers are certified in the appropriate certification matrices. See Oracle Fusion Middleware Supported System Configurations. You can re-enable TLS 1.0 and 1.1 protocols by removing TLSv1 or TLSv1.1 or both from the jdk.tls.disabledAlgorithms security property available in the java.security configuration file. Chapter 2 Java Upgrade Information 2-5
  • 11. 3 Security Advice and Considerations This document provides information about the required security advice and other considerations/recommendations for the Oracle WebLogic Server PSUs released every quarter, starting from the April 2021 PSU. This chapter includes the following section: WebLogic Server PSUs WebLogic Server PSUs WebLogic Server PSUs follow a quarterly schedule. Starting from April 2021, this document will be published along with the release of the WebLogic Server PSUs, specifically on the Tuesday closest to the 17th of January, April, July, and October. Note: Ensure that you follow the latest recommendations as documented in the Patch Availability Document (PAD) and apply all the patches that are applicable to the WebLogic Server installation. See the cumulative PAD by visiting the latest advisory at https://www.oracle.com/security-alerts/. This section includes the following topics: • PSU for January 2022 • PSU for October 2021 • PSU for July 2021 • PSU for April 2021 PSU for January 2022 There are no new security advisories or considerations for this release of the WebLogic Server PSU. PSU for October 2021 This section includes the following topics: • WebLogic Server Console Provides Help for Specific Security Warnings • Enable Allowlist Using the WebLogic Server Administration Console • Requirement to Install the Coherence Patch 3-1
  • 12. WebLogic Server Console Provides Help for Specific Security Warnings This feature applies to WebLogic Server releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. With the October PSU, WebLogic Server Administration Console provides a Help button enabling users to access relevant content/information (depending on the version of WebLogic Server used) about disabling the following security attributes (if set to 'true'): • Remote anonymous RMI access via IIOP • Remote anonymous RMI access via T3 On the WebLogic Server Administration Console (in the Security>General tab), you are alerted if these attributes are set to true. With a click of the Help button, you gain access to instructions for clearing the check boxes and disabling these requests. The instructions are relevant to the version of WebLogic Server you are using. For example, if you are using WebLogic Server 14.1.1.0, Help will point to Disable Remote Anonymous RMI T3 and IIOP Requests in the Securing a Production Environment for Oracle WebLogic Server guide for 14.1.1.0. Enable Allowlist Using the WebLogic Server Administration Console This feature is available in WebLogic Server releases 12.2.1.4 and 14.1.1.0. With the October PSU, you can now configure an allowlist for a WebLogic Server domain using the WebLogic Server Administration Console. Allowlists are configuration files using which WebLogic Server and customers can define a list of the acceptable classes and packages that are allowed to be deserialized, while blocking all other classes. By using the Allowlist tab, you can now define the following attributes for the allowlist: • Violation action to configure whether WebLogic Server domain should use allowlists or blocklists. • Polling interval (in seconds) at which the directory containing the allowlist configuration file should be polled. • Whether or not recording should be enabled for the allowlist. For more information about using the Allowlist tab, see Using an Allowlist for JEP 290 Filtering in Administering Security for Oracle WebLogic Server. Requirement to Install the Coherence Patch A security vulnerability (CVE-2021-35617) is seen in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Coherence Container) in releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. For a resolution of this CVE, you should install both the WebLogic Server PSU and the Coherence patch. See the quarterly Critical Patch Update Patch Availability Document for the list of patches. PSU for July 2021 This section includes the following topics: Chapter 3 WebLogic Server PSUs 3-2
  • 13. • Security Validation in the WebLogic Server Administration Console • Applying Patches with the Stack Patch Bundle (SPB) • Certificate Expiry Notifications • Allowlist for JEP 290 Filtering • Dynamic Blocklist Distribution • CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection • Additional Classpath Servlet Changes • Apache ANT Update for 12.1.3 Security Validation in the WebLogic Server Administration Console The July 2021 PSU provides a new feature that enables security validation in the WebLogic Server Administration Console. The console performs the role of a security checker by validating the security configuration settings of your domain against a set of security configuration guidelines recommended by Oracle. You can also configure the security configuration settings on the SecureMode MBean by using the WebLogic Scripting Tool (WLST). During the validation process, if the WebLogic Administration Console detects any configuration settings that do not conform to the recommended guidelines, it logs a warning message in the Security Warnings Report. This report is displayed in the console, at start up. The reported issues should then be addressed by the WebLogic administrators for the domain. This feature is available for WebLogic Server 14.1.1.0, 12.2.1.4, and 12.2.1.3 releases. For more information about the validation process and the security checks, see the following sections in the Securing a Production Environment for Oracle WebLogic Server guide for your release: • Review Potential Security Issues for 14.1.1.0 • Review Potential Security Issues for 12.2.1.4 • Review Potential Security Issues for 12.2.1.3 Applying Patches with the Stack Patch Bundle (SPB) The July PSU introduces a new Stack Patch Bundle Automation Tool (SPBAT) for Linux, Solaris and Windows users. The SPBAT tool helps perform the prerequisite checks before applying the patches. For more information, see Doc ID 2764636.1. This tool is available for releases 14.1.1.0, 12.2.1.4, and 12.2.1.3. Certificate Expiry Notifications The July 2021 PSU provides a feature that enables WebLogic Server to automatically detect SSL certificates that are about to expire. The system administrators are informed about the expiring certificates with the help of notifications in the Security Warnings Report displayed in the WebLogic Server Administration Console, or by an email. The notifications are sent based on a configurable time period. WebLogic Server checks these certificates once at start up, and then periodically at predefined intervals. Chapter 3 WebLogic Server PSUs 3-3
  • 14. This feature helps timely renewal of the expiring certificates and prevents production downtime at customer locations. This feature is available for WebLogic Server 14.1.1.0, 12.2.1.4, and 12.2.1.3 releases. For more information about setting reminders to notify customers, see the following sections in the Administering Security for Oracle WebLogic Server guide for your release: • Setting Certificate Expiry Notifications for 14.1.1.0 • Setting Certificate Expiry Notifications in 12.2.1.4 for 12.2.1.4 Allowlist for JEP 290 Filtering The July 2021 PSU adds support for allowlists in JEP 290 filtering. When using the allowlist model, WebLogic Server and the customer define a list of the acceptable classes and packages that are allowed to be deserialized, and blocks all other classes. With the blocklist model, WebLogic Server defines a set of well-known classes and packages that are vulnerable and blocks them from being deserialized, while all other classes are deserialized. The allowlist model is more secure because it only allows deserialization of classes that are required by WebLogic Server and customer applications. This feature is available for WebLogic Server release 14.1.1.0. For more information about JEP 290, see Using JEP 290 in Oracle WebLogic Server. Dynamic Blocklist Distribution With the April 2021 PSU, WebLogic Server detected, by default, blocklist files placed in the DOMAIN_HOME/config/security directory. With the July 2021 PSU, WebLogic Server will additionally detect, by default, blocklist files placed in the WebLogic Server Oracle Home in the oracle_common/common/jep290 directory. Users can continue to specify other directories where WebLogic Server may detect blocklist files. Blocklist files may be placed in these directories while WebLogic Server servers are running, and blocklist filters will be updated without requiring a server restart. CVE-2018-3149 Java Naming and Directory Interface (JNDI) Injection The CVE-2018-3149 JNDI Injection vulnerability enables unethical attackers to compromise Java SE and other products. This vulnerability exists in JDK version 7u201 or earlier and JDK version 8u191 or earlier. With the July 2021 PSU, WebLogic Server displays a warning in the WebLogic Server Administration Console and at start up if you run the server with a JDK version 8u181/7u191 or earlier. You must install JDK versions 7u201 or 8u191 (or later) to prevent the warning. Additional Classpath Servlet Changes The April 2021 PSU introduced changes to the classpath servlet to enable secure mode by default. In the July PSU, the classpath servlet has updated the list of classes allowed from well known packages required for JDBC and JMS functionality. If you encounter the Chapter 3 WebLogic Server PSUs 3-4
  • 15. ClassNotFoundException errors in the July PSU, follow the instructions provided in the April 2021 PSU topic to resolve issues in the RMI clients. See Classpath Servlet Changes. Apache ANT Update for 12.1.3 In the April 2021 PSU, the installation of the Apache ANT update 1.9.15 was available only for release 10.3.6. With the July 2021 PSU, this support extends to release 12.1.3. The 1.9.15 version of ANT will be installed in a new versioned directory: MW_HOME/modules/ org.apache.ant_1.9.15/. For the April PSU update, see Upgrading the Apache Ant Update to 1.9.15. PSU for April 2021 This section includes the following topics: • Upgrading the Apache Ant Update to 1.9.15 • Classpath Servlet Changes • Updating Blocklist Filters Dynamically • Disabling Anonymous RMI T3 and IIOP Requests • UNC Paths Not Supported in WebLogic Server Administration Console • #unique_39 Upgrading the Apache Ant Update to 1.9.15 Note: This upgrade applies to WebLogic Server 10.3.6 only. The April 2021 PSU packages the new Apache Ant version 1.9.15. The current version is 1.7.1. The version of Apache Ant installed under the existing ANT_HOME, MW_HOME/ modules/org.apache.ant_1.7.1 will be upgraded to 1.9.15. The 1.9.15 version of Ant will be installed under the existing ANT_HOME, MW_HOME/modules/ org.apache.ant_1.7.1. The same ANT_HOME home is used to ensure backward compatibility. For a comprehensive listing of the new features in Apache Ant version 1.9.15, see MW_HOME/modules/org.apache.ant_1.7.1/WHATSNEW. For instructions about setting permissions to the ANT files post Installation of the PSU, see About Providing Explicit Permissions to ANT Files Post Installation. Classpath Servlet Changes In the April 2021 PSU, the default setting of the WebLogic ClasspathServletSecureModeEnabled attribute in the ServerTemplateMBean has changed from false to true. Setting the ClasspathServletSecureModeEnabled attribute totrue enables secure mode by default and restricts access to several file types when using the bea_wls_internal web application. Chapter 3 WebLogic Server PSUs 3-5
  • 16. The bea_wls_internal web application that is deployed by default through WebLogic directly downloads file types such as .jar, .war, .class, .dtd, .ear , .rar and so on, into a subdirectory of the WebLogic domain. If secure mode is enabled, the Classpath Servlet serves only class files from well known packages required for JDBC and JMS functionality. If your RMI clients encounter ClassNotFoundException issues after applying the April 2021 PSU, then your clients may not have the required classes present on the client classpath and may be inadvertently relying on the Classpath Servlet's remote class loading capability. To resolve any ClassNotFoundException issues in your RMI clients, perform one of the following steps: • Ensure that the client classpath contains the classes required by the EJB and RMI objects that are used by the client. Oracle recommends this alternative for resolving any ClassNotFoundException errors. The Classpath Servlet will log any classes that are being downloaded from the server and you can ensure they are included in the RMI client classpath. For more information about the downloaded class information logged by the Classpath Servlet, see Logging by the Classpath Servlet. • Add any required classes or packages to the set of classes that are allowed to be downloaded by the Classpath Servlet. To perform this step, define the following system property when starting the server: ./startWebLogic.sh - Dweblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode="com/ mycompany/mypackage1/;com/mycompany/mypackage2/myclass1/;myapp1@/" • Change the default value of the ClasspathServletSecureModeEnabled attribute to false. This setting will disable secure mode and revert to the prior behavior. You can use WLST to change the default for each server as follows: edit() startEdit() cd("Servers/myserver") cmo.setClasspathServletSecureModeEnabled(false) activate() If running on WebLogic Server 12.1.3 or lower, then the ClasspathServletSecureModeEnabled attribute does not exist. For all versions of WLS, define the following system property when starting the server to disable the secure mode: ./startWebLogic.sh - Dweblogic.servlet.ClasspathServlet.disableSecureMode=true Chapter 3 WebLogic Server PSUs 3-6
  • 17. Note: You should allow classes to be downloaded only if they do not contain sensitive information. In addition, you should ensure that you have configured your firewall to prevent access to the internal servlets (bea_wls_internal). See Configure Firewall to Prevent Access to Internal Applications in Securing a Production Environment for Oracle WebLogic Server. Logging by the Classpath Servlet If secure mode is enabled, the Classpath Servlet will log any classes that fail to be downloaded. You can look in the server log for any log messages with id 101413. The error message appears as follows: The {0} file is a restricted file and can not be downloaded via the Classpath Servlet. Ensure this file is in the client classpath or if this file should be allowed to be downloaded, specify the package name or class name in the - Dweblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode system property when starting the WebLogic Server. Use the {0} filename to determine which classes should be added to the RMI client classpath or which packages or class names should be added to the weblogic.servlet.ClasspathServlet.allowedPackagesInSecureMode system property. Updating Blocklist Filters Dynamically The April 2021 PSU adds support for dynamic blocklists. Dynamic blocklists provide the ability to update blocklist filters by creating a configuration file that can be updated or replaced while the server is running. For more information, see Using a Dynamic Blocklist Configuration File in Administering Security for Oracle WebLogic Server. At the time of the April 2021 PSU delivery, there are no blocklist files that Oracle recommends configuring on user systems, and no further action is required. However, Oracle may recommend or encourage configuration of blocklist files on user systems in the future. Disabling Anonymous RMI T3 and IIOP Requests Oracle recommends completely restricting external access to WebLogic Server systems using T3 or IIOP protocols, if possible. If external access by T3 or IIOP is required, Oracle recommends restricting access to trusted client IP addresses and disabling anonymous T3 and IIOP requests. For more information, see: • Restricting T3 or IIOP protocols - Doc ID 2665794.1. • Disable Remote Anonymous RMI T3 and IIOP Requests in Securing a Production Environment for Oracle WebLogic Server. Chapter 3 WebLogic Server PSUs 3-7
  • 18. UNC Paths Not Supported in WebLogic Server Administration Console UNC paths are no longer supported in the WebLogic Server Administration Console. Prohibiting the use of UNC paths prevents authenticated users' Windows credentials from being compromised by remote attacks. The following error is displayed when you specify a UNC path in any page of the WebLogic Server Administration Console: UNC path is not supported Specify a different path to proceed. Documentation Accessibility For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup? ctx=acc&id=docacc. Access to Oracle Support Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/ lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired. Chapter 3 Documentation Accessibility 3-8