Yeah, but it's unsolvable apparently. This blog explains what the issue is:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
"...developers put too much trust in Java Object Serialization. Some even
de-serialize objects pre-authentication..."
"...there is no easy fix and applications need to revisit their client-server
protocols and overall architecture..."
and above all:
"...However, to be clear: this is not the only known and especially not unknown
useable gadget. So replacing your installations with a hardened version of Apache Commons
Collections will not make your application resist this vulnerability.."
Boils down to sloppy programming involving third-party supplied data. A bit
like SQL injection via web interfaces...
Cheers,
Tony
On 11/11/15 23:10, Patrice sur GMail wrote:
got an e-mail from Oracle last night, there's an emergency (non-quarterly
patch) out for WebLogic now
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html>
On Tue, Nov 10, 2015 at 2:47 PM, Niall Litchfield <niall.litchfield@xxxxxxxxx
<mailto:niall.litchfield@xxxxxxxxx>> wrote:
Hadn't spotted that my dialog earlier with Howard was off list - I believe
we resolved the issue successfully.
On Tue, Nov 10, 2015 at 4:49 PM, MacGregor, Ian A. <ian@xxxxxxxxxxxxxxxxx
<mailto:ian@xxxxxxxxxxxxxxxxx>> wrote:
Did you check under $ORACLE_Home/ cfgtooLlogs/opatch? There you
should find a log of the changes made to the Oracle software. Also there
sould be logs unser $ORACLE_BASE/cfgtoollogs/catbundle which detail the changes
made to database objects. The logs I have, indicate the database script
generated only makes changes to the java virtual machine. This assumes you had
applied the database component of the July PSU. Perhaps, if you don't have
OVJM installed, it would do nothing.
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx <mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx <mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On
Behalf Of Howard Latham
Sent: Tuesday, November 10, 2015 2:56 AM
To: ORACLE-L
Subject: oracle patches
redhat linux 5
11.2.04
patch id 21352635
We finally relented and gone for the quarterly patches from oracle
driven by security wonks rather than technical need . - is it unusual
- as with this patch that nothing has to be done? Ie opatch runs but
makes no changes.
--
Howard A. Latham
--
//www.freelists.org/webpage/oracle-l
-- Niall Litchfield
Oracle DBA
http://www.orawin.info
--
-- Patrice
My profiles: Facebook
<http://www.facebook.com/home.php?#%21/profile.php?id=100000206805521>LinkedIn
<http://ca.linkedin.com/pub/patrice-boivin/a/933/5a9>Twitter
<http://www.twitter.com/PatriceBoivin>
