The list of patches that form this CPU is available here.
There are a lot of security vulnerabilities, affecting lots of EPM\BI products.
The following will affect your current EPM\BI installations (I have written my own notes in italics):
Oracle HTTP Server
versions 11.1.1.7.0, 12.1.2.0
OHS Server patched in January 2014 CPU patch
17664563
OHS WebLogic Plugin (mod_wl_ohs) patched in July 2014 CPU patch
18423831
Oracle Hyperion Essbase
versions 11.1.2.2, 11.1.2.3
Patched in 11.1.2.3.501
Oracle Hyperion BI+ (Reporting and Analysis)
versions 11.1.2.2, 11.1.2.3
Patched in 11.1.2.3.500
Oracle Hyperion Enterprise Performance Management Architect
versions 11.1.2.2, 11.1.2.3
Patched in 11.1.2.3.500
Oracle Common Admin
versions 11.1.2.2, 11.1.2.3
Patched in the HSS 11.1.2.3.501 patch
Oracle Hyperion Analytic Provider Services
versions 11.1.2.2, 11.1.2.3
Patched in 11.1.2.3.500
The following might affect your EPM or BI installations, depending on what patching you have done:
Oracle WebLogic Server
versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
(EPM 11.1.2.1 ships with WL 10.3.4 and 11.1.2.3 ships with WL 10.3.6)
(OBIEE is usually installed with WL 10.3.6 but your installation may be different)
Patched in 10.3.6.0.8
18040640
Oracle JRockit
versions R27.8.2, R28.3.2
(EPM 11.1.2.1 ships with R28.0.2 and EPM 11.1.2.3 ships with R28.2.5)
Patched in R28.3.3
18763693
All information is from the following webpage:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
I will update this post as I learn new information.
Update 19:46 15/07/2014:
So according to this all CPUs are released by Oracle at 1PM Pacific Time. Today that is 21:00 BST (San Francisco is currently on daylight saving time and so is London). As soon as the CPU is released I will try to distill the available information and post it here.
Update 21:24 15/07/2014:
So it turns out BI Publisher is not affected. There is no patch released for BI Publisher.
OHS 11.1.1.7 ships in EPM 11.1.2.3 only. EPM 11.1.2.1 ships with OHS 11.1.1.4. You can check your version of OHS with the following command:
E:\Oracle\Middleware\ohs\ohs\bin\httpd.exe -version
OHS 11.1.1.7 will return "Server version: Oracle-HTTP-Server/2.2.22 (Win64)".
OHS 11.1.1.4 will return "Server version: Oracle-HTTP-Server/2.2.15 (Win32)".
The OHS Server patch was released back in January of this year. The OHS WebLogic plugin (mod_wl_ohs) patch was only released today.
The EPM patches were all released earlier this year, if you are on the latest patchset you are covered.
I have not actually done a WebLogic upgrade on an EPM installation so I am not sure how much work is involved with that. I will need to investigate. The WebLogic patch was released back in April of this year.
The Jrockit patch would only apply to you if you upgraded your stock EPM Jrockit installation to R28.3.2. That patch was only released today.
To round up:
Today has been a good learning experience for me. The majority of patches were already released much earlier, so if you have regular patching cycles you have nothing to fret.You could get away with not patching Jrockit, if you can verify it was never updated in any of your environments.
WebLogic could be the trickiest part to patch, I will look into how to perform this patching for EPM and OBIEE and create a separate blog post.
Update 10:41 16/07/2014:
Clarified OHS versions for each release.
No comments:
Post a Comment