Proactive insights, news and tips from Oracle WebLogic Server Support. Learn Oracle from Oracle.
- July 20, 2021
Update on the WebLogic Server July 2021 Patch Set Update (PSU)
Today Oracle delivered its quarterly Critical Patch Advisory for July 2021. Included in this overall Oracle release is the WebLogic Server July 2021 Patch Set Update (PSU), which includes fixes for functional issues, as well as fixes for security vulnerabilities. For more information on the fixes included see the Oracle Fusion Middleware Risk Matrix and the Critical Patch Update July 2021 Patch Availability Document (PAD) for Oracle Products, My Oracle Support Note 2773670.1.
The purpose of this blog is to highlight some of the new capabilities included with the PSU that make it easier for you to properly secure WebLogic Systems. Securing a Production Environment for Oracle WebLogic Server documents our best practices in this area, and we continually update the information provided here. However, we can also help customers achieve better security levels by introducing enhancements for securing systems. In the April 2021 PSU, we delivered two such enhancements – WebLogic Server Stack Patch Bundles (SPBs), available for WebLogic Server 12.2.1.3, 12.2.1.4, and 14.1.1, and WebLogic Server Dynamic Blocklists.
Today, we’re delivering additional enhancements in the WebLogic Server July 2021 PSU for securing WebLogic Server systems. See the information below, including links to documentation and our upcoming Support Advisor WebCasts on these PSU enhancements.
Stack Patch Bundles and SPBAT
The first step is applying the July 2021 PSU. The PAD referenced above in My Oracle Support Note 2773670.1 describes the PSU deliverables and how to apply the recommended WebLogic Server patches. We strongly recommend you consider using the July 2021 SPBs referenced above to patch your systems. SPBs include all the patches required for your WebLogic Server installation in a single zip file download, and can be applied using a single “opatch napply” command, enabling you to more easily maintain your installations. In the July 2021 PSU, we have included an additional enhancement to WebLogic Server 12.2.1.3, 12.2.1.4, and 14.1.1 SPBs – the Stack Patch Bundle Application Tool (SPBAT). SPBAT is a command line tool – a new option you can use to simplify verification and patch application procedures such as checking your OPatch version, or your Java SE version, or file permissions, and updating your OPatch version of the SPB patches, in as simple a manner as possible. We’d like to increase the reliability of patching procedures so you can patch and secure your systems as rapidly as possible. For more information see MOS Doc ID 2764636.1 and register for the Support Advisor Webcast on this topic on August 4.
Security Validation in the WebLogic Server Console
After patching and starting your systems, you may notice changes in the WebLogic Server Console. In the July 2021 PSU we have added MBean infrastructure and new console screens that are intended to help you validate that your system configurations implement key security recommendations. We recognize that some users have not reviewed all of our security documentation and may have inadvertently omitted some security configuration steps. With the July 2021 PSU applied, WebLogic Server will automatically check that some of our key security recommendations have been followed, and if not, will issue warnings in the WebLogic Server Console. We provide a Security Warnings Report screen that details the warnings and the recommended remedies. Users have the choice of implementing the remedies we generally recommend, or based on user-specific security or business requirements, disabling the validation checks, or ignoring the warnings entirely. We think customers will appreciate being warned that, for example, unauthenticated T3 access is being allowed, or that file permissions may not be set properly, or that certificates will expire soon. For more details on the security validation features, see the product documentation and MOS Doc ID 2788605.1. We are also offering a Support Advisor Webcast on August 11 on this topic. You can register today.
Allowlist Support in WebLogic Server 14.1.1
One source of potential security vulnerabilities in WebLogic Server is the use of Java RMI-based deserialization. Exploits are performed using specific Java packages and classes that have been identified as vulnerable, as they are being deserialized as part of RMI processing. We’ve provided advice on protecting against such vulnerabilities, including blocking T3/IIOP access through firewalls to WebLogic Server systems, blocking unauthenticated T3/IIOP access to systems. We also provide WebLogic Server PSUs that implement “blocklists” to prevent deserialization of packages and classes known to be vulnerable. The drawback to a blocklist approach is that it is inherently reactive. As new exploits for different classes and packages are identified, an administrator must take an action to modify the system, typically by applying the patch, to block the new vulnerability. An allowlist approach, by contrast, permits users to “allow” deserialization of only the specific packages and classes required by their WebLogic Server application. Deserialization of other packages and classes is automatically blocked. This approach is less vulnerable to exploits, because a package or class newly identified to be vulnerable is unlikely to be allowed by an existing allowlist, and generally an administrative response will not be required. In the WebLogic Server 14.1.1 July 2021 PSU we have added features that help users to create allowlist files by “recording” deserialization operations on running systems, to generate an allowlist file from the recording, and to configure WebLogic Server 14.1.1 to use the allowlist file. For more information in this new feature, see our updated WebLogic Server 14.1.1 documentation. We expect to make this feature available in other WebLogic Server versions in future PSUs.
Dynamic blocklist changes
Finally, we have made a minor change to our dynamic blocklist implementation that enables WebLogic Server to “detect” the presence of a dynamic blocklist file in Oracle Home. The primary implication of this change is that it will give us the ability to distribute “blocklist” files as fixes for potential deserialization vulnerabilities as OPatch patches that can be immediately applied to running systems without requiring a server restart. This gives us a new option for delivery of security fixes that we may take advantage of in the future. If you have the July PSU applied, you will be ready for this.
Our goal is make it easier for you to properly secure your WebLogic Systems. There will be more coming!
The purpose of this blog is to highlight some of the new capabilities included with the PSU that make it easier for you to properly secure WebLogic Systems. Securing a Production Environment for Oracle WebLogic Server documents our best practices in this area, and we continually update the information provided here. However, we can also help customers achieve better security levels by introducing enhancements for securing systems. In the April 2021 PSU, we delivered two such enhancements – WebLogic Server Stack Patch Bundles (SPBs), available for WebLogic Server 12.2.1.3, 12.2.1.4, and 14.1.1, and WebLogic Server Dynamic Blocklists.
Today, we’re delivering additional enhancements in the WebLogic Server July 2021 PSU for securing WebLogic Server systems. See the information below, including links to documentation and our upcoming Support Advisor WebCasts on these PSU enhancements.
Stack Patch Bundles and SPBAT
The first step is applying the July 2021 PSU. The PAD referenced above in My Oracle Support Note 2773670.1 describes the PSU deliverables and how to apply the recommended WebLogic Server patches. We strongly recommend you consider using the July 2021 SPBs referenced above to patch your systems. SPBs include all the patches required for your WebLogic Server installation in a single zip file download, and can be applied using a single “opatch napply” command, enabling you to more easily maintain your installations. In the July 2021 PSU, we have included an additional enhancement to WebLogic Server 12.2.1.3, 12.2.1.4, and 14.1.1 SPBs – the Stack Patch Bundle Application Tool (SPBAT). SPBAT is a command line tool – a new option you can use to simplify verification and patch application procedures such as checking your OPatch version, or your Java SE version, or file permissions, and updating your OPatch version of the SPB patches, in as simple a manner as possible. We’d like to increase the reliability of patching procedures so you can patch and secure your systems as rapidly as possible. For more information see MOS Doc ID 2764636.1 and register for the Support Advisor Webcast on this topic on August 4.
Security Validation in the WebLogic Server Console
After patching and starting your systems, you may notice changes in the WebLogic Server Console. In the July 2021 PSU we have added MBean infrastructure and new console screens that are intended to help you validate that your system configurations implement key security recommendations. We recognize that some users have not reviewed all of our security documentation and may have inadvertently omitted some security configuration steps. With the July 2021 PSU applied, WebLogic Server will automatically check that some of our key security recommendations have been followed, and if not, will issue warnings in the WebLogic Server Console. We provide a Security Warnings Report screen that details the warnings and the recommended remedies. Users have the choice of implementing the remedies we generally recommend, or based on user-specific security or business requirements, disabling the validation checks, or ignoring the warnings entirely. We think customers will appreciate being warned that, for example, unauthenticated T3 access is being allowed, or that file permissions may not be set properly, or that certificates will expire soon. For more details on the security validation features, see the product documentation and MOS Doc ID 2788605.1. We are also offering a Support Advisor Webcast on August 11 on this topic. You can register today.
Allowlist Support in WebLogic Server 14.1.1
One source of potential security vulnerabilities in WebLogic Server is the use of Java RMI-based deserialization. Exploits are performed using specific Java packages and classes that have been identified as vulnerable, as they are being deserialized as part of RMI processing. We’ve provided advice on protecting against such vulnerabilities, including blocking T3/IIOP access through firewalls to WebLogic Server systems, blocking unauthenticated T3/IIOP access to systems. We also provide WebLogic Server PSUs that implement “blocklists” to prevent deserialization of packages and classes known to be vulnerable. The drawback to a blocklist approach is that it is inherently reactive. As new exploits for different classes and packages are identified, an administrator must take an action to modify the system, typically by applying the patch, to block the new vulnerability. An allowlist approach, by contrast, permits users to “allow” deserialization of only the specific packages and classes required by their WebLogic Server application. Deserialization of other packages and classes is automatically blocked. This approach is less vulnerable to exploits, because a package or class newly identified to be vulnerable is unlikely to be allowed by an existing allowlist, and generally an administrative response will not be required. In the WebLogic Server 14.1.1 July 2021 PSU we have added features that help users to create allowlist files by “recording” deserialization operations on running systems, to generate an allowlist file from the recording, and to configure WebLogic Server 14.1.1 to use the allowlist file. For more information in this new feature, see our updated WebLogic Server 14.1.1 documentation. We expect to make this feature available in other WebLogic Server versions in future PSUs.
Dynamic blocklist changes
Finally, we have made a minor change to our dynamic blocklist implementation that enables WebLogic Server to “detect” the presence of a dynamic blocklist file in Oracle Home. The primary implication of this change is that it will give us the ability to distribute “blocklist” files as fixes for potential deserialization vulnerabilities as OPatch patches that can be immediately applied to running systems without requiring a server restart. This gives us a new option for delivery of security fixes that we may take advantage of in the future. If you have the July PSU applied, you will be ready for this.
Our goal is make it easier for you to properly secure your WebLogic Systems. There will be more coming!
Be the first to comment
Comments ( 0 )