July 2014 Oracle Quarterly Critical Patch Availability

Today Oracle released a list of vulnerabilities to the EPM and related BI software along with a host of other products.  See the full announcement here: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

This one was interesting as my beloved Hyperion products were mentioned.  Seven vulnerabilities were identified with Hyperion products.  It was interesting that most of the patches for these vulnerabilities have been out for a little while, so hopefully you have already mitigated some of these.  Here is list of defects for Hyperion:

7-15-2014 5-25-14 PM

If you clicked the link from the announcement to My Oracle Support note number 1666884.1, the Patch Set Update and Critical Patch Update July 2014 Availability Document, will give you the patches to fix each vulnerability.

Patch Availability for Oracle Hyperion Analytic Provider Services

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17767293 CVE-2014-4246  11.1.2.3.500 PSU
11.1.2.2 SPU Patch 18148649 CVE-2014-4246  11.1.2.2.106 PSU

Patch Availability for Oracle Hyperion BI+

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17529887 and SPU Patch 18383790 CVE-2014-0436  11.1.2.3.500 PSU (included in 17767293) and 11.1.2.3.500 Client Installers PSE
11.1.2.2 SPU Patch 18659116 and SPU Patch 18856417 CVE-2014-0436 I could not find these patches. The links do not show the patch.

 

Patch Availability for Oracle Hyperion Common Admin

Product Home Patch Advisory Number Comments
11.1.2.3 CPU Patch 18672071 CVE-2014-4269, CVE-2014-4270 11.1.2.3.501 PSU for Shared Services
11.1.2.2 CPU Patch 18659116 CVE-2014-4269, CVE-2014-4270 I could not find this patch either.

 

Patch Availability for Oracle Hyperion EAS

Product Home Patch Advisory Number Comments
11.1.2.3 Admin Server Patch 17417347Admin Console Patch 17417344 Released January 2014  11.1.2.3.002 PSU, should also be included in 11.1.2.3.501 PSU
11.1.2.2 Admin Server Patch 17277761Admin Console Patch 17277764 Released January 2014  11.1.2.2.104 PSU
11.1.2.1 Admin Server Patch 17545122Admin Console Patch 17545124 Released January 2014  11.1.2.1.107 PSU

 

Patch Availability for Oracle Hyperion Enterprise Performance Management Architect

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 17529887 and SPU Patch 18383790 CVE-2014-4203, CVE-2014-4206  11.1.2.3.500 PSU and 11.1.2.3.500 Client Installers PSE
11.1.2.2 SPU Patch 18659116 and SPU Patch 18856417 CVE-2014-4203, CVE-2014-4206  I could not find this patch either.

 

Patch Availability for Oracle Hyperion Essbase

Product Home Patch Advisory Number Comments
11.1.2.3 SPU Patch 18505489 CVE-2014-4271  11.1.2.3.501 PSU
11.1.2.2 SPU Patch 18520684 CVE-2014-4271  11.1.2.2.000 Patch Set Update Exception (PSE): 11.1.2.2.106 (18520684)

 

Patch Availability for Oracle Hyperion Strategic Finance

Product Home Patch Advisory Number Comments
11.1.2.2 CPU Patch 14593946 Released April 2014 11.1.2.2.301 PSU
11.1.2.1 CPU Patch 17636270 Released April 2014 11.1.2.1.103 PSU

 

In addition to the application patches, we also find that WebLogic Server 10.3.6.0 is listed.  This is important because it is part of our installation of EPM 11.1.2.x and most of us take it for granted.

Patch Set Update Availability for Oracle WebLogic Server

Product Home Patch Advisory Number Comments
Oracle Java SE home JDK/JRE 6 Update 81:

See Note 1492980.1How to Maintain the Java SE Installed or Used with FMW 11g Products
Oracle JRockit 28.x home R28.3.3- Patch 18763693
WebLogic Server 10.3.6.0.0 home PSU 10.3.6.0.8 Patch 18040640 CVE-2014-2480, CVE-2014-2481, CVE-2014-4256, CVE-2014-4242, CVE-2014-4253, CVE-2014-4267, CVE-2014-4255, CVE-2014-4254, CVE-2014-2479, CVE-2014-4210, CVE-2014-4241, CVE-2014-4217, CVE-2014-4201, CVE-2014-4202 See Note 1306505.1Announcing Oracle WebLogic Server PSUs (Patch Set Updates)For CVE-2014-4256, see Note 1903763.1, Download Request for Security Configuration

 

Also note in the announcement that there is a patch for OBIEE’s Mobile App Designer.

Patch Availability for Oracle Business Intelligence App Mobile Designer

Product Home Patch Advisory Number Comments
11.1.1.7.0 SPU Patch 18794832 CVE-2014-4249 Must delete existing MAD deployment and install this one.  Check the readme.

 

This appears to be a replacement for the entire MAD install.  Going forward, I will use the Oracle BI Mobile App Designer patch 18794832 instead of the older 17220994 patch.  This patch came out on 6/3, so they aren’t very good about announcing these patches.  I guess that’s why we should be reading these quarterly announcements to find out what has been fixed.

 

Advertisements

2 comments

  1. Hi,

    Just answer a simple question of mine.

    We had done recently upgrade from 11.2.0.2 to 11.2.0.4 and know we want to apply CPU/PSU Patches released by Oracle quarterly but we are in confusion do we need to apply all quarterly patches or the latest quarterly patch is enough to apply

    1. Preethi,

      I do not recognize those version numbers, are they for Oracle database? My focus is primarily on the Hyperion and OBIEE software. In order for you to get the correct answer for your specific concerns, I would recommend submitting an SR to Oracle Support and they should be able to answer those specific questions.

      Thank you,
      Robert

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s