Today Oracle released a list of vulnerabilities to the EPM and related BI software along with a host of other products. See the full announcement here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
This one was interesting as my beloved Hyperion products were mentioned. Seven vulnerabilities were identified with Hyperion products. It was interesting that most of the patches for these vulnerabilities have been out for a little while, so hopefully you have already mitigated some of these. Here is list of defects for Hyperion:
If you clicked the link from the announcement to My Oracle Support note number 1666884.1, the Patch Set Update and Critical Patch Update July 2014 Availability Document, will give you the patches to fix each vulnerability.
Patch Availability for Oracle Hyperion Analytic Provider Services
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | SPU Patch 17767293 | CVE-2014-4246 | 11.1.2.3.500 PSU |
| 11.1.2.2 | SPU Patch 18148649 | CVE-2014-4246 | 11.1.2.2.106 PSU |
Patch Availability for Oracle Hyperion BI+
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | SPU Patch 17529887 and SPU Patch 18383790 | CVE-2014-0436 | 11.1.2.3.500 PSU (included in 17767293) and 11.1.2.3.500 Client Installers PSE |
| 11.1.2.2 | SPU Patch 18659116 and SPU Patch 18856417 | CVE-2014-0436 | I could not find these patches. The links do not show the patch. |
Patch Availability for Oracle Hyperion Common Admin
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | CPU Patch 18672071 | CVE-2014-4269, CVE-2014-4270 | 11.1.2.3.501 PSU for Shared Services |
| 11.1.2.2 | CPU Patch 18659116 | CVE-2014-4269, CVE-2014-4270 | I could not find this patch either. |
Patch Availability for Oracle Hyperion EAS
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | Admin Server Patch 17417347Admin Console Patch 17417344 | Released January 2014 | 11.1.2.3.002 PSU, should also be included in 11.1.2.3.501 PSU |
| 11.1.2.2 | Admin Server Patch 17277761Admin Console Patch 17277764 | Released January 2014 | 11.1.2.2.104 PSU |
| 11.1.2.1 | Admin Server Patch 17545122Admin Console Patch 17545124 | Released January 2014 | 11.1.2.1.107 PSU |
Patch Availability for Oracle Hyperion Enterprise Performance Management Architect
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | SPU Patch 17529887 and SPU Patch 18383790 | CVE-2014-4203, CVE-2014-4206 | 11.1.2.3.500 PSU and 11.1.2.3.500 Client Installers PSE |
| 11.1.2.2 | SPU Patch 18659116 and SPU Patch 18856417 | CVE-2014-4203, CVE-2014-4206 | I could not find this patch either. |
Patch Availability for Oracle Hyperion Essbase
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.3 | SPU Patch 18505489 | CVE-2014-4271 | 11.1.2.3.501 PSU |
| 11.1.2.2 | SPU Patch 18520684 | CVE-2014-4271 | 11.1.2.2.000 Patch Set Update Exception (PSE): 11.1.2.2.106 (18520684) |
Patch Availability for Oracle Hyperion Strategic Finance
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.2.2 | CPU Patch 14593946 | Released April 2014 | 11.1.2.2.301 PSU |
| 11.1.2.1 | CPU Patch 17636270 | Released April 2014 | 11.1.2.1.103 PSU |
In addition to the application patches, we also find that WebLogic Server 10.3.6.0 is listed. This is important because it is part of our installation of EPM 11.1.2.x and most of us take it for granted.
Patch Set Update Availability for Oracle WebLogic Server
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| Oracle Java SE home | JDK/JRE 6 Update 81: | See Note 1492980.1, How to Maintain the Java SE Installed or Used with FMW 11g Products | |
| Oracle JRockit 28.x home | R28.3.3- Patch 18763693 | ||
| WebLogic Server 10.3.6.0.0 home | PSU 10.3.6.0.8 Patch 18040640 | CVE-2014-2480, CVE-2014-2481, CVE-2014-4256, CVE-2014-4242, CVE-2014-4253, CVE-2014-4267, CVE-2014-4255, CVE-2014-4254, CVE-2014-2479, CVE-2014-4210, CVE-2014-4241, CVE-2014-4217, CVE-2014-4201, CVE-2014-4202 | See Note 1306505.1, Announcing Oracle WebLogic Server PSUs (Patch Set Updates)For CVE-2014-4256, see Note 1903763.1, Download Request for Security Configuration |
Also note in the announcement that there is a patch for OBIEE’s Mobile App Designer.
Patch Availability for Oracle Business Intelligence App Mobile Designer
| Product Home | Patch | Advisory Number | Comments |
|---|---|---|---|
| 11.1.1.7.0 | SPU Patch 18794832 | CVE-2014-4249 | Must delete existing MAD deployment and install this one. Check the readme. |
This appears to be a replacement for the entire MAD install. Going forward, I will use the Oracle BI Mobile App Designer patch 18794832 instead of the older 17220994 patch. This patch came out on 6/3, so they aren’t very good about announcing these patches. I guess that’s why we should be reading these quarterly announcements to find out what has been fixed.
Hi,
Just answer a simple question of mine.
We had done recently upgrade from 11.2.0.2 to 11.2.0.4 and know we want to apply CPU/PSU Patches released by Oracle quarterly but we are in confusion do we need to apply all quarterly patches or the latest quarterly patch is enough to apply
Preethi,
I do not recognize those version numbers, are they for Oracle database? My focus is primarily on the Hyperion and OBIEE software. In order for you to get the correct answer for your specific concerns, I would recommend submitting an SR to Oracle Support and they should be able to answer those specific questions.
Thank you,
Robert