Oracle has released a patch for the latest CVE against WebLogic, so I wanted to walk though the steps to apply the patch to WebLogic and show how to use Smart Update. Smart Update is the utility used by WebLogic to apply patches to your installation.
UPDATE 12/8/2015 Thanks to Matt Tremblay for pointing out, WebLogic 12.1.2+ is now using OPatch for WebLogic patching. Look for an second WebLogic patching post soon about using OPatch with WebLogic.
Smart Update 3.3.0
Version 3.3.0 is the latest version and is included with WebLogic 10.3.5 and later. If you launch Smart Update and find that its an older version, go grab version 3.3.0 (Patch 12426828).
Launching Smart Update
On Windows, if you chose to create a Program Group, you can launch Smart Update from the Start Menu under the “Oracle WebLogic” folder. Or, you can launch it from the command line:
The first time you run Smart Update, it may ask you to provide a %BEA_HOME% path. Give the path to your BEA Home (e.g,
If you receive an error: “Unable to locate any supported product installations” or “The BEA Home directory selected does not contain any supported patch targets”, check out MOS Documents 946541.1 or 1063605.1 for the fix.
In the Smart Update window, you will see the installed applications in the left pane. Make sure “WebLogic” is selected. On the right, the top pane shows you patches that have been applied. The lower pane displays patches in your download directory that are waiting to be applied.
By default, Smart Update will look for patches under
%BEA_HOME%utilsbsucache_dir for patches. To start Smart update and have it look at a different path, use the
-patch_download_dir=[path] flag or select
File > Preferences to change the directory.
To apply a patch, click the green arrow in the “Downloaded Patches” pane for the patch. Smart Update will check for patch conflicts and the apply the patch.
You can also run Smart Update from the command line. This is great when you have multiple servers to patch. Running
bsu.cmd -help will give you all the options you need when scripting.
Let’s Fix CVE-2015-4852
Since we have new patches to fix CVE-2015-4852 (T3/Java Deserialization), let’s use those as our example. Go to this page to find the applicable patch (or patches if you are on 10.3.6) to apply.
Download the patches you need and unzip them. Copy the
.xml files from the patch folders to your web server. I put the patch files under
e:patchescve-2015-4852 on the web server. We will tell Smart Update to use this directory. (Since we are running WebLogic 10.3.6, there are two patches to install in our example.).
Before you apply any patches, make sure to stop any web servers running on the server. If don’t, Smart Update won’t be able to patch
.jar files that are in use.
Let’s run Smart Update from the command line. Open a command prompt and navigate to
%BEA_HOME%utilsbsu. We need to pass these values to the
-patchlist=EJUW (note, this is not the patch number, but the PSU Patch ID)
So, my command to apply the first CVE patch looks like this:
bsu -install -patch_download_dir=e:patchescve-2015-4852 -patchlist=EJUW -prod_dir=e:oraclewlserver_10.3 -verbose
I had to change the memory settings for Smart Update. In the
bsu.cmd file, I modified the
set MEM_ARGS line:
set MEM_ARGS=-Xms512m -Xmx1024m -XX:PermSize=64m -XX:MaxPermSize=128m -Xss512k
Smart Update will give you a “Success” message, or an error message. Next, let’s apply the second CVE patch:
bsu -install -patch_download_dir=e:patchescve-2015-4852 -patchlist=ZLNA -prod_dir=e:oraclewlserver_10.3 -verbose
Verify WebLogic Version
To verify WebLogic has the new patches, we can run two commands. The first command is to set the environment with:
Then, run the command:
The output will look similar to this:
WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST2015
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
Another option to check the version of WebLogic is using the Smart Update utility:
bsu -prod_dir=e:oraclewlserver_10.3 -status=applied -verbose -view
The output shows that we have applied the
10.3.6.0.12 and CVE patch. Now, restart all your web servers and start testing!