The April 2021 Patch Set Update (PSU) includes the following changes: See Review Potential Security Issues in Securing a Production Environment for Oracle WebLogic Server. Warnings for failed validations are logged in the Administration Console. Added new security validation checks to determine if your domain meets Oracle recommended security guidelines.
The July 2021 Patch Set Update (PSU) includes the following changes: See Review Potential Security Issues in Securing a Production Environment for Oracle WebLogic Server
Enhances resolution guidance for security validation warnings in the Administration Console by providing links to relevant documentation. See Using a Dynamic Blocklist Configuration File in Administering Security for Oracle WebLogic Server. Added support in WebLogic Server to detect the presence of a JEP 290 dynamic blocklist configuration file in the ORACLE_HOME/oracle_common/common/jep290 directory, and block deserialization of classes and packages specified in the file. See Using JEP 290 in Oracle WebLogic Server in Administering Security for Oracle WebLogic Server. This PSU includes allowlist support in the WebLogic Server Administration Console. While both approaches have benefits, the allowlist model is more secure because it only allows deserialization of classes known to be required by WebLogic Server and customer applications. With the blocklist model, WebLogic Server defines a set of well-known classes and packages that are vulnerable and blocks them from being deserialized, and all other classes can be deserialized. When using the allowlist model, WebLogic Server and the customer define a list of the acceptable classes and packages that are allowed to be deserialized, and blocks all other classes. Adds support for allowlists in JEP 290 filtering. The October 2021 Patch Set Update (PSU) includes the following changes: 
See Setting the Deserialization Timeout Interval in Administering Security for Oracle WebLogic Server. Adds the KernelMBean attribute RMIDeserializationMaxTimeLimit and the .timelimitmillis system property which enable you to set a time limit when deserializing Java objects.The April 2022 Patch Set Update (PSU) includes the following changes:
0 kommentar(er)
