Dear all, what is your opinion, based on the research, must we apply
(CVE-2015-4852 ) weblogic patch? Sounds serious to me...
On Wed, Nov 11, 2015 at 7:59 PM, De DBA <dedba@xxxxxxxxxx> wrote:
Yeah, but it's unsolvable apparently. This blog explains what the issue is:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
"...developers put too much trust in Java Object Serialization. Some even
de-serialize objects pre-authentication..."
"...there is no easy fix and applications need to revisit their
client-server protocols and overall architecture..."
and above all:
"...However, to be clear: this is not the only known and especially not
unknown useable gadget. So replacing your installations with a hardened
version of Apache Commons Collections will not make your application resist
this vulnerability.."
Boils down to sloppy programming involving third-party supplied data. A
bit like SQL injection via web interfaces...
Cheers,
Tony
On 11/11/15 23:10, Patrice sur GMail wrote:
got an e-mail from Oracle last night, there's an emergency (non-quarterly
patch) out for WebLogic now
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html>
On Tue, Nov 10, 2015 at 2:47 PM, Niall Litchfield <
niall.litchfield@xxxxxxxxx> wrote:
Hadn't spotted that my dialog earlier with Howard was off list - I
believe we resolved the issue successfully.
On Tue, Nov 10, 2015 at 4:49 PM, MacGregor, Ian A. <ian@xxxxxxxxxxxxxxxxx
wrote:
Did you check under $ORACLE_Home/ cfgtooLlogs/opatch? There you
should find a log of the changes made to the Oracle software. Also there
sould be logs unser $ORACLE_BASE/cfgtoollogs/catbundle which detail the
changes made to database objects. The logs I have, indicate the
database script generated only makes changes to the java virtual machine.
This assumes you had applied the database component of the July PSU.
Perhaps, if you don't have OVJM installed, it would do nothing.
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:
oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Howard Latham
Sent: Tuesday, November 10, 2015 2:56 AM
To: ORACLE-L
Subject: oracle patches
redhat linux 5
11.2.04
patch id 21352635
We finally relented and gone for the quarterly patches from oracle
driven by security wonks rather than technical need . - is it unusual
- as with this patch that nothing has to be done? Ie opatch runs but
makes no changes.
--
Howard A. Latham
--
//www.freelists.org/webpage/oracle-l
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
-- Patrice
My profiles: [image: Facebook]
<http://www.facebook.com/home.php?#%21/profile.php?id=100000206805521>[image:
LinkedIn] <http://ca.linkedin.com/pub/patrice-boivin/a/933/5a9>[image:
Twitter] <http://www.twitter.com/PatriceBoivin>
