div class='cap-left'/>

Applying Oracle CPU's on Oracle EPM, is that a good thing?

Wednesday, February 24, 2016

Introduction

CPU's are Critical Patch Updates which have the soul goal of solving known vulnerabilities. For EPM Oracle releases Patch Sets (PS), Patch Set Updates (PSU) and Patch Set Exceptions (PSE). These patches only address functional, technical and/or security issues for EPM software components. Thus Oracle Middleware used by EPM e.g. Weblogic and OHS remain untouched. For these products CPU's are released to address known vulnerabilities.

More and more clients are now performing security audits and penetration tests on Oracle EPM environments, with the consequence I get request to install Oracle CPU's on Oracle EPM environments.

During this post  I will go in to more detail why CPU's can be important, what the result is and how to apply them.

Note: Not familiar with the concept of EPM patches? Checkout my following post Clarifying Oracle EPM Versioning.


Oracle CPU Advisory

Every three month's or so, Oracle released a new advisory informing about new vulnerabilities and related CPU's. You may have noticed the banner on the bottom of my blog, which shows the last 7 released advisories. At the time of writing, the last advisory is from October 2015.

Challenges

To my best knowledge, CPU's are not tested with Oracle EPM, and officially unsupported within a EPM environment. However Oracle is somewhat unclear on this subject. Extensive (functional) testing may be required to have the best possible guarantee no issues appear after applying the CPU's. Identifying and applying the patches cannot be performed by the general IT department. Specific knowledge about EPM and the middleware components involved is required in order to asses the risks, define prerequisites, installing the patches and validate the result.

For this purpose I used Nessus to assist me. Basically Nessus scans your EPM environment against a known vulnerability database and presents you the results in a nice report including recommendations. The good part, Nessus is available as a free "home" edition which is limited in amount of servers you can scan simultaneously and uses a month old database.

Test Environment

For testing purposes I installed a Windows 2012R2 based VM with Oracle EPM 11.1.2.4 installed with the latest EPM patches available at the time of writing. Used MS SQL 2012 as repository. Then, I configured a scan on Nessus and enabled "web scan". Installing and configuring Nessus is out-of-scope for this post. Then apply all suggested fixes and run the scan again in order to proof all vulnerabilities are addressed.

First Result

The result of the first scan can be read here. This a "Management Report" of the findings. To most of us probably the report as such is not a surprise. As you can see in the report, three components require our focus: OHS, Weblogic and Java JRE/JDK. Since I applied the latest EPM PSU's, you notice that these vulnerabilities are not addressed by the regular EPM patches.

Remedies

In the end, only a few patches were required to fix all issues. However, after applying the first batch of patches and rerunning a scan, one patch required an additional patch. Below an overview of patches suggested by Nessus:
  1. Weblogic
    • Patch 20780171: SU Patch [EJUW]: WLS PATCH SET UPDATE 10.3.6.0.12
    •  Patch 20069588: SU Patch [8LVZ]: 20069588 - WebLogic Portal security patch update 10.3.6.0 (cpujan2015)
  2.  OHS
    •  Patch 21640624: OHS SECURITY PATCH UPDATE 11.1.1.7.0 (CPUOCT2015)
  3.  Java / JRockit
    •  Update 105 or later
A special note on Java and JRockit: The embedded versions are out of date. It is not supported to change these Java versions. However I changed the content of all Java run time and JRockit folders with the binaries from the 105b update while maintaining the original folder names. For me, Oracle EPM worked without any issues.

Second Result

The result of the second scan can be read here. As you can see all known vulnerabilities are addressed from an EPM perspective.

How to install

Unless specified other wise by Oracle, all CPU's are installed using the native install mechanism of the Middleware component in question. For OHS using the OPatch command located in "\Oracle\Middleware\ohs\OPatch" and for Weblogic using BEA Smart Update (BSU) utility located in "D:\Oracle\Middleware\utils\bsu". Detailed instructions on how to apply the patches and use these utilities are usually in the patch ReadMe.

In my case I suffered from a BSU issue that would prevent you from installing a patch successfully. Either the patch doesn't install at all, or takes a long time to do so. The following change fixed my issues with BSU:
  1. Locate and backup the original file named "bsu.cmd | .sh"
  2. Edit the file using e.g. Notepad++ 
  3. Replace the default string with the new string, and save the file.

Default String
New String

Final Notes

Based on my findings I have to conclude that installing CPU's is recommended for (Internet) exposed EPM environments or customers with high security demands. However, realize that the process of identifying, applying CPU's and validation is time consuming. In addition this process is repetitive, at least every three months depending on the Oracle security advisory contents.


1 comment :

  1. Noticed that the CPU for Weblogic breaks Jython for Weblogic Toolkit on Windows 2012 (R2). You can fix it by editing the \lib\javashell.py within the module jython-modules.jar located in \Oracle\Middleware\wlserver_10.3\common\wlst\modules. Add "Windows 2012" to the "_osTypeMap" variable. Repackage the module and replace it with the original.

    ReplyDelete