Yesterday Oracle released their quarterly Critical Patch Update. Browsing through the various readme files, I found that no Hyperion or EPM products were directly listed this quarter. OBIEE didn’t have any new patches to its software this quarter, either.
As you browse the information provided, you can see that WebLogic 10.3.6.0 does have some low risk vulnerabilities addressed by this CPU. Oracle’s recommendation is to apply the 10.3.6.0.9 WebLogic Server Patch Set Update (Patch 19182814) to address some of the concerns with the WebLogic application server that is installed with and supports EPM and OBIEE.
In critical environments, it would also be advised to monitor and update the supporting Java SE version installed or used with Fusion Middleware products such as EPM and OBIEE. See Oracle Support note 1492080.1 on updating the installed Java version for Fusion Middleware products.
In reality, most EPM/BI implementations are going to be safely behind a corporate firewall and won’t worry about these too much. If you are hosting healthcare.gov, for instance, I would hope that you would already be aware of these and patched by now.