A-A+

2019年4月17日 Oracle WebLogic 服务器高危安全漏洞预警

2019年04月17日 12:02 汪洋大海 暂无评论 阅读 473 views 次

【漏洞预警】Oracle WebLogic 服务器高危安全漏洞预警

2019年4月17日,阿里云云盾应急响应中心监测到Oracle官方发布安全公告,披露WebLogic服务器存在多个高危漏洞,包括远程代码执行、任意文件上传、反序列化等。黑客利用漏洞可能可以远程获取WebLogic服务器权限,风险较大。

漏洞评级

CVE-2019-2658:严重

CVE-2019-2646:严重

CVE-2019-2645:严重

CVE-2019-1258:高危

CVE-2019-2647:高危

CVE-2019-2648:高危

CVE-2019-2649:高危

CVE-2019-2650:高危

CVE-2019-2618:中危

CVE-2019-2568:中危

CVE-2019-2615:中危

影响组件

WLS Core Components

WLS Core Components (Spring Framework)

WLS - Web Services

EJB Container

受影响范围

WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

安全建议

一、禁用T3协议

如果您不依赖T3协议进行JVM通信,可通过暂时阻断T3协议缓解此漏洞带来的影响。

1. 进入Weblogic控制台,在base_domain配置页面中,进入“安全”选项卡页面,点击“筛选器”,配置筛选器。

2. 在连接筛选器中输入:weblogic.security.net.ConnectionFilterImpl,在连接筛选器规则框中输入:* * 7001 deny t3 t3s。

3. 保存生效(无需重启)。

二、排查弱口令

排查Weblogic管理后台是否存在弱口令,增强密码强度。

官方公告

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

下面的内容为上面官方连接的译文:
Oracle重要补丁更新公告 - 2019年4月
描述
重要补丁更新是针对多个安全漏洞的补丁集合。重要补丁更新修补程序通常是累积性的,但每个通报仅描述自上一个重要补丁更新通报以来添加的安全修复程序。因此,应检查先前的重要补丁更新公告,以获取有关早期发布的安全修复程序的信息。请参阅:

有关Oracle安全建议的信息,请参阅重要补丁更新,安全警报和公告。

Oracle继续定期收到有关企图恶意利用Oracle已发布修复程序漏洞的报告。在某些情况下,据报道攻击者已经成功,因为目标客户未能应用可用的Oracle补丁。因此,Oracle强烈建议客户继续使用主动支持的版本,并立即应用重要补丁更新修复程序。

此重要补丁更新包含下面列出的产品系列中的297个新安全修复程序。请注意,总结该重要补丁更新和其他Oracle软件安全保障活动内容的MOS注释位于 2019年4月重要补丁更新:执行摘要和分析。

受影响的产品和补丁信息
此重要补丁更新解决的安全漏洞会影响下面列出的产品。产品区域显示在“修补程序可用性文档”列中。请单击下面“修补程序可用性文档”列中的链接,以访问有关修补程序可用性信息和安装说明的文档。

.

Affected Products and Versions Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4 Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0 Enterprise Manager
Enterprise Manager Ops Center, version 12.3.3 Enterprise Manager
FMW Platform, version 12.2.1.3.0 Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4 JD Edwards
MICROS Lucas, versions 2.9.5.6, 2.9.5.7 Retail Applications
MICROS Relate CRM Software, version 11.4 Retail Applications
MICROS Retail-J, version 12.1.2 Retail Applications
MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior MySQL
MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior MySQL
MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior MySQL
MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior MySQL
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle Application Testing Suite, version 13.3.0.1 Enterprise Manager
Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1 Oracle Supply Chain Products
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0 Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32 Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Business Transaction Management, version 12.1.0 Enterprise Manager
Oracle Commerce Merchandising, version 11.2.0.3 Oracle Commerce
Oracle Commerce Platform, versions 11.2.0.3, 11.3.1 Oracle Commerce
Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0 Oracle Communications Application Session Controller
Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0 Oracle Communications EAGLE Application Processor
Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2 Oracle Communications EAGLE LNP Application Processor
Oracle Communications Instant Messaging Server, version 10.0.1 Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2 Oracle Communications Interactive Session Recorder
Oracle Communications LSMS, versions 13.1, 13.2, 13.3 Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0, 8.1 Oracle Communications Messaging Server
Oracle Communications Operations Monitor, versions 3.4, 4.0 Oracle Communications Operations Monitor
Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4 Oracle Communications Policy Management
Oracle Communications Pricing Design Center, versions 11.1, 12.0 Oracle Communications Pricing Design Center
Oracle Communications Service Broker, version 6.0 Oracle Communications Service Broker
Oracle Communications Service Broker Engineered System Edition, version 6.0 Oracle Communications Service Broker Engineered System Edition
Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0 Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0 Oracle Communications Unified Inventory Management
Oracle Configuration Manager, version 12.1.0 Enterprise Manager
Oracle Configurator, versions 12.1, 12.2 Oracle Supply Chain Products
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0 Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c Database
Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8 E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0 Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0 Oracle Enterprise Communications Broker
Oracle Enterprise Operations Monitor, versions 3.4, 4.0 Oracle Enterprise Operations Monitor
Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0 Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 - 7.3.5, 8.0.0 - 8.0.7 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.4 - 8.0.7 Oracle Financial Services Asset Liability Management
Oracle Financial Services Data Integration Hub, versions 8.0.5 - 8.0.7 Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 - 8.0.7 Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 - 8.0.7 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, versions 8.0.2 - 8.0.6 Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 - 8.0.7 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6 Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Profitability Management, versions 8.0.4 - 8.0.6 Oracle Financial Services Profitability Management
Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6 Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0 Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0 Fusion Middleware
Oracle Health Sciences Data Management Workbench, version 2.4.8 Health Sciences
Oracle Healthcare Master Person Index, versions 3.0, 4.0 Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80 Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0.11 Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0 Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 12.2.1.3.0 Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5.8 Fusion Middleware
Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12 Java SE
Oracle Java SE Embedded, version 8u201 Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Knowledge, versions 8.5.1.0 - 8.5.1.7, 8.6.0, 8.6.1 Oracle Knowledge
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Outside In Technology, versions 8.5.3, 8.5.4 Fusion Middleware
Oracle Real-Time Scheduler, version 2.3.0 Oracle Utilities Applications
Oracle Retail Allocation, version 15.0.2 Retail Applications
Oracle Retail Convenience Store Back Office, version 3.6 Retail Applications
Oracle Retail Customer Engagement, versions 16.0, 17.0 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0 Retail Applications
Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0 Retail Applications
Oracle Retail Merchandising System, versions 15.0, 16.0 Retail Applications
Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0 Retail Applications
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Workforce Management Software, version 1.60.9.0.0 Retail Applications
Oracle Retail Xstore Point of Service, versions 7.0, 7.1 Retail Applications
Oracle Secure Global Desktop, version 5.4 Virtualization
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Solaris, versions 10, 11 Systems
Oracle Traffic Director, version 11.1.1.9.0 Fusion Middleware
Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3 Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0.0 Fusion Middleware
Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0 Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, version 2.3.0 Oracle Utilities Applications
Oracle Utilities Network Management System, version 1.12.0.3 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6 Virtualization
Oracle WebCenter Portal, version 12.2.1.3.0 Fusion Middleware
Oracle WebCenter Sites, version 12.2.1.3.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
OSS Support Tools, version 19.1 Support Tools
PeopleSoft Enterprise ELM, version 9.2 PeopleSoft
PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2 PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57 PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57 PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 - 17.12, 18.8 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7 - 17.12, 18.8 Oracle Construction and Engineering Suite
Siebel Applications, version 19.3 Siebel

 

注意:

  • 影响Oracle数据库和Oracle融合中间件的漏洞可能会影响Oracle融合应用程序,因此Oracle客户应参阅Oracle融合应用程序重要补丁更新知识文档,My Oracle Support说明1967316.1,以获取有关应用于Fusion Application环境的补丁的信息。
  • 影响Oracle Solaris的漏洞可能会影响Oracle ZFSSA,因此Oracle客户应参阅Oracle和Sun Systems产品套件重要补丁更新知识文档My Oracle Support说明2160904.1,以获取解决重要补丁更新中发布的ZFSSA问题所需的最低安全修订修订版的信息。和Solaris第三方公告。
  • 使用浏览器运行Java SE的用户可以从http://java.com下载最新版本。Windows和Mac OS X平台上的用户也可以使用自动更新来获取最新版本。

风险矩阵内容

风险矩阵仅列出与此通报关联的修补程序新修复的安全漏洞。以前的安全修复程序的风险矩阵可以在 以前的重要补丁更新公告中找到。本文档中提供的风险矩阵的英文文本版本在此处

此重要补丁更新中解决的多个漏洞会影响多个产品。每个漏洞都由CVE#标识,CVE是漏洞的唯一标识符。影响多个产品的漏洞将在所有风险矩阵中显示相同的CVE#。以斜体 显示的CVE#表示此漏洞会影响不同的产品,但也会对列出斜体CVE#的产品产生影响。

使用CVSS 3.0版对安全漏洞进行评分(有关Oracle 如何应用CVSS 3.0版的说明,请参阅 Oracle CVSS评分)。

Oracle对重要补丁更新解决的每个安全漏洞进行分析。Oracle未向客户披露有关此安全性分析的详细信息,但最终的风险表和相关文档提供了有关漏洞类型,利用漏洞所需条件以及成功利用漏洞的潜在影响的信息。Oracle部分提供此信息,以便客户可以根据其产品使用的详细信息进行自己的风险分析。有关更多信息,请参阅Oracle漏洞披露策略

风险矩阵中的协议意味着其所有安全变体(如果适用)也会受到影响。例如,如果HTTP被列为受影响的协议,则意味着HTTPS(如果适用)也会受到影响。仅当风险矩阵是 受影响的唯一变体时,协议的安全变体才会列在风险矩阵中,例如,通常会针对SSL和TLS中的漏洞列出HTTPS。

解决方法

由于攻击成功带来的威胁,Oracle强烈建议客户尽快应用重要补丁更新修复程序。在应用重要补丁更新修补程序之前,可以通过阻止攻击所需的网络协议来降低成功攻击的风险。对于需要某些特权或访问某些软件包的攻击,从不需要特权的用户中删除特权或访问软件包的能力可能有助于降低成功攻击的风险。这两种方法都可能破坏应用程序功能,因此Oracle强烈建议客户在非生产系统上测试更改。这两种方法都不应被视为长期解决方案,因为它们都没有纠正潜在的问题。

跳过重要补丁更新

Oracle强烈建议客户尽快应用安全修复程序。对于已跳过一个或多个重要补丁更新且担心此重要补丁更新中未公布安全修复程序的产品的客户,请查看 以前的重要补丁更新公告 以确定适当的操作。

重要补丁更新支持的产品和版本

通过重要补丁更新程序发布的补丁仅适用于终身支持策略的高级支持或扩展支持阶段涵盖的产品版本 。Oracle建议客户计划产品升级,以确保通过重要补丁更新程序发布的补丁可用于当前运行的版本。

未针对Premier Support或Extended Support提供的产品版本未针对此重要补丁更新所解决的漏洞进行测试。但是,早期版本的受影响版本可能也会受到这些漏洞的影响。因此,Oracle建议客户升级到支持的版本。

数据库,融合中间件和Oracle Enterprise Manager产品根据My Oracle Support说明209768.1中说明的软件错误纠正支持策略进行 修补。请查看技术支持政策, 以获取有关支持政策和支持阶段的进一步指导。

 

部分内容转载自阿里云:https://help.aliyun.com/noticelist/articleid/1000130731.html

部分译文通过google转载自oracle:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

×

给我留言