Support #1034
MPI-VA Scan Report
Status: | Work Completed-End life cycle | Start date: | July 16, 2011 | ||
---|---|---|---|---|---|
Priority: | Normal | Due date: | July 22, 2011 | ||
Assignee: | Abu Bakar Mohamed Sahabanali | % Done: | 60% | ||
Category: | - | Spent time: | 2.00 hours | ||
Target version: | - |
Description
Dennis (MPI) reported following issue for WebLogic Server:
1)CGI Generic HTML Injections (quick test)
2)Oracle WebLogic Server Servlet Container Session Fixation
3)SSL Version 2 (v2) Protocol Detection
History
#1 Updated by Ahmad Hazri about 13 years ago
CGI Injection issue
From the scan result it shown the effected service was on port 6789. Port 6789 is known for Sun Java Web Console for Solaris Management Console. MBB have to contact Solaris Hardware vendor. Ref: http://download.oracle.com/docs/cd/E19082-01/819-2379/swc123/index.html
#2 Updated by Ahmad Hazri about 13 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- % Done changed from 0 to 10
#3 Updated by Ahmad Hazri about 13 years ago
SSL Version 2 (v2) Protocol Detection
Solution:
1)Set parameter "-Dweblogic.security.SSL.protocolVersion=SSL3" into startWebLogic.sh script
2)Restart Weblogic.
3)Testing with openssl command
cmd: openssl s_client -connect 172.31.52.46:7002 -ssl2 expected Output: SSL2_WRITE:ssl handshake failure:s2_pkt.c
Still troubleshooting
#4 Updated by Ahmad Hazri about 13 years ago
Oracle WebLogic Server Servlet Container Session Fixation
need to apply patches
#5 Updated by Abu Bakar Mohamed Sahabanali about 13 years ago
- % Done changed from 10 to 60
Patches successfully applied on development and production server.
1. create a folder in /opt/wlsun --> eg:- patch_VJPE_20110715
2. copy the .zip file into the new created folder --> choose bin option using Winscp
3. unzip the .zip file
4. chmod to all unzipped file ïƒ chmod a+x
5. copy patch-catalog_15563.xml from /opt/wlsun/patch_VJPE_20110715/ and paste into /opt/wlsun/utils/bsu/cache_dir/
6. cd /opt/wlsun/utils/bsu
7. run ./bsu.sh -prod_dir=/opt/wlsun/wlserver_10.3/ -patch_download_dir=/opt/wlsun/patch_VJPE_20110715/ -patchlist=VJPE -verbose -install -log=/opt/wlsun/utils/bsu/VJPE_logs/20110715V1.log
8. run ./bsu.sh -prod_dir=/opt/wlsun/wlserver_10.3/ -patch_download_dir=/opt/wlsun/patch_ 8IWX 20110715/ -patchlist=VJPE -verbose -install -log=/opt/wlsun/utils/bsu/VJPE_logs/20110715V1 8IWX.log
cache_dir list:¶
bash-3.00$ pwd /opt/wlsun/oracle/middleware/utils/bsu/cache_dir bash-3.00$ ls -l total 38695 -rw-r--r-- 1 beampi beauser 12765748 May 13 12:14 patch-catalog.xml -rw-r--r-- 1 beampi beauser 6585309 Jul 19 15:09 patch-catalog_15563.xml -rw-r--r-- 1 beampi beauser 147387 May 13 12:14 prod-info.xml bash-3.00$
Patch list after unzip
bash-3.00$ pwd
/opt/wlsun/patch
bash-3.00$ ls -l
total 39579
-rwxr-xr-x 1 beampi beauser 20189 Jun 10 18:32 8IWX.jar
-rwxr-xr-x 1 beampi beauser 415 Jun 10 18:32 README.txt
-rwxr-xr-x 1 beampi beauser 36697 Jun 10 18:32 VJPE.jar
-rwxr-xr-x 1 beampi beauser 934368 Jul 14 19:54 p10625613_10320_Generic.zip
-rw-r--r-- 1 beampi beauser 12405661 Jul 20 09:49 patch-catalog.xml
-rwxr-xr-x 1 beampi beauser 6585309 Jun 10 18:32 patch-catalog_15563.xml
bash-3.00$
Result for no. 7 and 8 should be like below at the last line in terminal :
bash-3.00$ ./bsu.sh -prod_dir=/opt/wlsun/oracle/middleware/wlserver_10.3/ -patch_download_dir=/opt/wlsun/patch/ -patchlist=VJPE -verbose -install -log=/opt/wlsun/oracle/middleware/utils/bsu/logs/VJPE_20110720.log
Checking for conflicts...
No conflict(s) detected
Starting installation of Patch ID: VJPE
Installing /opt/wlsun/patch/VJPE.jar
Extracting /opt/wlsun/oracle/middleware/patch_wls1032/patch_jars/BUG10076424_1032.jar
Updating /opt/wlsun/oracle/middleware/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar
Old manifest value: Class-Path=
New manifest value: Class-Path=../../../patch_jars/BUG10076424_1032.jar
Result: Success
bash-3.00$ ./bsu.sh -prod_dir=/opt/wlsun/oracle/middleware/wlserver_10.3/ -patch_download_dir=/opt/wlsun/patch/ -patchlist=8IWX -verbose -install -log=/opt/wlsun/oracle/middleware/utils/bsu/logs/8IWX_20110720.log Checking for conflicts... No conflict(s) detected Starting installation of Patch ID: 8IWX Installing /opt/wlsun/patch/8IWX.jar Extracting /opt/wlsun/oracle/middleware/patch_wls1032/patch_jars/BUG10276172_1032.jar Updating /opt/wlsun/oracle/middleware/patch_wls1032/profiles/default/sys_manifest_classpath/weblogic_patch.jar Old manifest value: Class-Path=../../../patch_jars/BUG10076424_1032.jar New manifest value: Class-Path=../../../patch_jars/BUG10276172_1032.jar ../../../patch_jars/BUG10076424_1032.jar Result: Success
#6 Updated by Tan Lee Yong over 12 years ago
- Status changed from Development / Work In Progress to Work Completed-End life cycle