Weblogic Vulnerability (1) Basic Introduction of Weblogic

Enterprise 2023-08-26 19:10:39 views: null

Basic introduction to Weblogic

WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications. Suitable for large commercial projects.

WebLogic was first developed by WebLogic Inc., and later merged into BEA Corporation, and finally BEA Corporation merged into Oracle Corporation. WebLogic is a necessary software for building websites. It has functions such as parsing and publishing web pages. It is developed in pure java. weblogic was not originally invented by BEA, it was bought from others, and then processed and expanded. BEA has been acquired by Oracle, and the latest version of Weblogic is Oracle Weblogic Server 12c (12.2.1.3). Other J2EE Application Servers include IBM's websphere, Sun (Sun has been acquired by ORACLE) Glassfish, resin, etc. Apache Tomcat is also a commonly used Servlet/JSP Container. Domestic manufacturers also produce Loong AS 9.0 of Zhongchuang Software (up to level 4 security, fully supporting domestic production), Tongweb of Dongfangtong, and Kingdee Apusic application server.

WebLogic has long been considered one of the best J2EE tools on the market. Like a database or mail server, WebLogic Server is invisible to clients and provides services to clients connected to it. The most common use of WebLogic is to provide secure, data-driven applications for Web services on or over the internet. WebLogic's support for the J2EE architecture: WebLogic Server provides support for the SUN J2EE architecture. SUN's J2EE architecture is an overall framework that supports distributed applications for enterprises. It provides a simple and open standard for integrating back-end systems, such as ERP systems and CRM systems, and for realizing enterprise-level computing.

Middleware

Middleware refers to software that connects software components or enterprise applications. Middleware is the software layer that sits between the operating system and application programs on both sides of a distributed computer network. It can be described as "software glue. Typically, it supports complex distributed business software applications.

insert image description here

Oracle defines middleware as consisting of Web servers, application servers, content management systems, and similar tools that support application development and delivery. It is usually based on Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web services, Technologies such as SOA, Web 2.0, and Lightweight Directory Access Protocol (LDAP).

Oracle Fusion Middleware

Oracle Fusion Middleware is a concept proposed by Oracle. Oracle Fusion Middleware provides solutions and support for complex distributed business software applications. Oracle Fusion Middleware is a series of software products and includes a series of tools and services, such as: Java Enterprise Edition 5 (Java EE) compliant development and runtime environment, business intelligence, collaboration and content management. Oracle Fusion Middleware provides comprehensive support for development, deployment and management. Oracle Fusion Middleware typically provides a solution as shown in the following diagram:

insert image description here

Oracle Fusion Middleware provides two types of components:

  • Java components

Java components are used to deploy one or more Java applications, and Java components are deployed to the Oracle WebLogic Server domain as domain templates. The Oracle WebLogic Server domain mentioned here will be explained in detail later with Oracle WebLogic Server.

  • System Components

System components are processes managed by Oracle Process Manager and Notification (OPMN), which are not deployed as Java applications. System components include Oracle HTTP Server, Oracle Web Cache, Oracle Internet Directory, Oracle Virtual Directory, Oracle Forms Services, Oracle Reports, Oracle Business Intelligence Discoverer, Oracle Business Intelligence.

Oracle WebLogic Server(WebLogic)

Oracle WebLogic Server (hereinafter referred to as WebLogic) is a scalable enterprise-class Java platform (Java EE) application server. It fully implements the Java EE 5.0 specification and supports the deployment of various types of distributed applications.

In the previous introduction of Oracle Fusion Middleware, we have found the words WebLogic throughout, and Oracle Fusion Middleware and WebLogic are often confused when I analyze vulnerabilities. In fact, WebLogic is the core of Oracle Fusion Middleware. Almost all Oracle Fusion Middleware products require WebLogic Server to run. Therefore, in essence, WebLogic Server is not Oracle Fusion Middleware, but the basis for building or running Oracle Fusion Middleware. Oracle Fusion Middleware and WebLogic are inseparable but not equal in concept.

Oracle WebLogic Server域

Oracle WebLogic Server domain is the core of WebLogic. An Oracle WebLogic Server domain is a logically related set of Oracle WebLogic Server resource groups. A domain includes a special instance of Oracle WebLogic Server called the Administration Server, which is the central point for configuring and managing all resources in the domain. That is to say, the deployment and management of Web applications, EJB (Enterprise JavaBeans), Web services and other resources are all completed through the Administration Server.

insert image description here

Oracle WebLogic Server cluster

A WebLogic Server cluster consists of multiple concurrently running WebLogic Server server instances that work together to provide greater scalability and reliability. Because WebLogic itself is middleware designed for distribution, the cluster function is also one of the important functions of WebLogic. There is also inter-cluster communication and synchronization, and many security vulnerabilities of WebLogic are also based on this feature.

Version of WebLogic

There are many versions of WebLogic, but now we often see only two categories: 10.x and 12.x, these two major versions are also called WebLogic Server 11g and WebLogic Server 12c.

According to Oracle official download page https://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html (from bottom to top):

insert image description here

The 10.x version is Oracle WebLogic Server 10.3.6, and this version is also the version that everyone likes to use when doing vulnerability analysis. All WebLogic vulnerability shooting ranges in P Niu's vulhub(h ttps://github.com/vulhub/vulhub) are built based on this version.

The major releases for 12.x are:

  • Oracle WebLogic Server 12.1.3
  • Oracle WebLogic Server 12.2.1
  • Oracle WebLogic Server 12.2.1.1
  • Oracle WebLogic Server 12.2.1.2
  • Oracle WebLogic Server 12.2.1.3

It is worth noting that the minimum JDK version supported by Oracle WebLogic Server 10.3.6 is JDK1.6, the minimum JDK version supported by Oracle WebLogic Server 12.1.3 is JDK1.7, and the minimum JDK version supported by Oracle WebLogic Server 12.2.1 and above for JDK1.8. Therefore, due to the different versions of the JDK, especially the way to exploit the deserialization vulnerability will be slightly different. At the same time, different Oracle WebLogic Server versions depend on different components (jar packages), so different WebLogic versions may need to use different Gadget chains (exploitation chains for deserialization vulnerabilities) in exploiting deserialization vulnerabilities.

Advantages of Weblogic

WebLogic Server has a variety of features and advantages required to develop and deploy mission-critical e-commerce Web application systems, including:

standard

Comprehensive support for various standards in the industry, including EJB, JSP, JMS, JDBC, XML (a subset of the standard common markup language) and WML, makes the implementation of Web application systems easier and protects investment. Standard solutions are easier to develop.

scalability

WebLogic Server is well-known in the industry for its highly scalable architecture, including sharing of client connections, resource pooling, and clustering of dynamic web pages and EJB components.

rapid development

With support for EJB and JSP, and WebLogic Server's Servlet component architecture system, speed to market can be accelerated. These open standards, when combined with WebGain Studio, can simplify development and leverage existing skills to rapidly deploy application systems.

more flexible

WebLogic Server features tight integration with leading databases, operating systems and Web servers.

reliability

Its fault tolerance, system management, and security capabilities have been proven in thousands of mission-critical environments around the world.

Architecture

WebLogic Server is specially developed for enterprise e-commerce application system. Enterprise e-commerce application systems need to be developed quickly, and require server-side components to have good flexibility and security, and at the same time support the expansion, performance, and high availability necessary for mission-critical tasks. WebLogic Server simplifies the development of portable and scalable application systems, and provides rich interoperability for other application systems and systems.

With its excellent cluster technology, WebLogic Server has the highest level of scalability and availability. BEA WebLogic Server implements both web page clustering and EJB component clustering without any special hardware or operating system support. Web page clusters can implement transparent replication, load balancing, and fault tolerance for presentation content, such as Web shopping carts; component clusters handle complex replication, load balancing, and fault tolerance of EJB components, as well as recovery of state objects (such as EJB entities).

Both web page clustering and component clustering are critical to the scalability and availability required by e-business solutions. Shared client/server and database connections as well as data caching and EJBs enhance performance. This is not available in other Web application systems.

Replenish

Products of the same type as Weblogic include: IBM WebSphere, Apache Tomcat, Redhat Jboss, etc. The default port of Weblogic is: 7001.

Overview of Historical Vulnerabilities

Next, we can see the historical vulnerabilities exposed by Weblogic through the link of Weblogic historical vulnerabilities, most of which are deserialization vulnerabilities

insert image description here

Reference article: WebLogic Security Research Report

Guess you like

Origin blog.csdn.net/qq_64973687/article/details/132508431
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com