by Dan Iverson

Script WebLogic and Java Patches

In December, we talked quite a bit about patching Java and WebLogic on the blog and podcast. There was a WebLogic CVE, and then a patch, to apply. If you want a recap on the CVE and patching process, here are the posts:

While applying the patches, I wanted to script the process so patching would be consistent across all our servers. I pulled the scripts into a GitHub project for sharing and reuse. If you haven’t scripted a WebLogic patch, this would be a place to start. The scripts use PowerShell and built for WebLogic 10.3.6. So, they use SmartUpdate instead of OPatch. I also added in a Java patch to the process too. You could pull out the Java patch script to use by itself. One more note: all the patches, Java, and scripts were set to run from the folder e:\installers\weblogic1036-2015-CVE-Patches. If you use these for your environment, or just use them as a template, you’ll want to update those paths for your specific configuration.

There is nothing ground-breaking about these scripts 🙂 I can write scripts, but I’m not the best script developer out there. If you see places where the scripts need improvement, file an issue with the project or submit a pull request! The main goal with this project and post is to get others started with scripting. Scripting, even if the scripts are basic, can benefit administrators. I hope that this quick overview might help someone get started.

Scripts Overview

These scripts are writtin in PowerShell. If PowerShell scripts are not enabled on the server, run this command to allow PowerShell scripts to run:

set-executionpolicy unrestricted

  1. Install new SmartUpdate version (3.3.0)

    installSmartUpdate.ps1

    The silent.xml file is used for a silent install (no prompts). The installation directory is set to e:\oracle. If you want a different directory, change the value for “BEAHOME”. 1. Stop all web servers running on the server .stopPIAServices.ps1 The script looks for any Windows service that containts “*-PIA” in the name. If you have any WebLogic domains were not created by the

    installNTService script, you may need to shut them down by hand.

  2. Prepare and copy files from the weblogic1036-2015-CVE-Patches folder

    prepareFiles.ps1

    This script performs tasks to prepare different files for patching: On our servers, two files needed updates to run the Smart Update utility. registry.xml needed to remove a reference to Tuxedo; bsu.cmd needed an increase in memory to the Java Heap. The registry.xml file also contains a reference to the server where it was installed. The script will change that value based on the new server’s name. The original files are backed up first and a .bkp extension is added to the file name. The script also copies jdk-1.7.0_79 to our e:\java folder. If you want the new java version in a different location, you can change the path in the file.

  3. Apply both WebLogic patches The patches we are applying resolve the December 2015 CVE with WebLogic. If you are using these scripts for future patches, you’ll want to update the patch ID’s in the script.

    applyWebLogicPatches.ps1

    Both patches are applied to WebLogic using the bsu command. The script assumes your patches are in the folder e:\patches\cve-2015-4852. NOTE: On one of our servers, the second patch stalled during the “Checking for Conflicts” step. If the script stalls for more than a few minutes, hit Cntl-C.

  4. Update the JAVA_HOME values

    updateJavaVersion.ps1

    The JAVA_HOME value in the setEnv.cmd script will be updated to the new path. You must update this script for each server. The paths in the script are hard-coded. (The hard coding is an obvious candidate to fix next. Should be able to use the Get-ChildItem cmdlet to find all the setEnv.cmd files.)

  5. Update Registry value for JAVA_HOME

    updateRegistryJavaVersion.ps1

    The JAVA_HOME value in the Registry for each web service will be updated. You must update this script for each server. The paths in the script are hard-coded. (Again, another place for improvement. Need to find a search cmdlet for the Registry. Could look for -PIA in the service name.)

  6. Start all web servers running on the server.

    startPIAServices.ps1

    Again, this looks for all Windows services that have *-PIA in the name and starts them. That’s it.

The scripts are pretty simple, and you can write a wrapper script to run all the sub-scripts. That way you’d have one script to kick off. Or, you could add these into a tool like Rundeck to execute from a centralized place. Once you start down the path of scripting, many opportunities open up to speed up everyday tasks.

by Dan Iverson

How to Apply WebLogic Patches – Part 2

In Part 1, I showed how to use Smart Update to patch WebLogic. Starting with WebLogic 12.1.2, OPatch handles all the pacthing. Let’s walk though using OPatch to update WebLogic to fix the latest vulnerability. OPatch is included in the WebLogic install, so everything you need to apply patches is ready to go.

Windows Path Limit

If you are on Windows and applying patches 21370953 and 22250567, you may run into an error The file name(s) would be too long for the destination folder. The patch contains so may folders that they conflict with the Windows limit of 260 characters for a file name. The work around is to use the jar utility that comes with the JDK to unzip the patch. jar -xvf p21370953_121300_Generic.zip

Set OPatch Environment

OPatch needs to know what ORACLE_HOME you are applying the patch to. Depending on your server configuration, you may need to set ORACLE_HOME to the directory that contains WebLogic.

set ORACLE_HOME=e:\middleware-854

Let’s Fix CVE-2015-4852

Since we have new patches to fix CVE-2015-4852 (T3/Java Deserialization), let’s use those as our example.Go to this page to find the applicable patch (or patches if you are on 10.3.6) to apply.

Extract Patches

Download the patches you need and unzip them. I put the patch files under

e:\patches\cve-2015-4852

on the web server.

set PATCH_TOP=e:\patches\cve-2015-4852
unzip -d %PATCH_TOP p21370953_121300_Generic.zip
unzip -d %PATCH_TOP p22250567_121300_Generic.zip

Apply Patches

Make sure all of your web server instances are shut down. Then, move into the first patch folder so it is your current directory. Once you are in the patch folder, we call OPatch.

cd patches\cve-2015-485221370953
e:\middleware-854\OPatch\opatch apply

At the end of the patch, you should see a OPatch succeeded message. Let’s apply the second patch.

cd patches\cve-2015-485222250567
e:\middleware-854\OPatch\opatch apply

At the end of the patch, you should see a OPatch succeeded message.

Verify WebLogic Version

To verify WebLogic has the new patches, we use OPatch’s lsinventory command.

e:\middleware-854\OPatch\opatch lsinventory

The output will look similar to this:

Interim patches (2) : Patch 22250567 : applied on Fri Dec 11 07:46:45 CST 2015 
Unique Patch ID: 19584835 
Patch description: "One-off" Created on 22 Nov 2015, 01:36:21 hrs PST8PDT 
Bugs fixed: 22175246, 22200449, 22247869, 21495475 
This patch overlays patches: 21370953 
This patch needs patches: 21370953 as prerequisites 
Patch 21370953 : applied on Fri Dec 11 07:46:45 CST 2015 
Unique Patch ID: 19198495 
Patch description: "WebLogic Server 12.1.3.0.5 PSU Patch for BUG21370953 October 2015"

The output shows that we have applied the CVE patches. Now, restart all your web servers and start testing!