Why... Why... Why?
This blog is dedicated to documenting error resolution and other tidbits that I discover while working as a Consultant in the Oracle EPM (Hyperion) field. As much of my job revolves around issue resolution, I see an opportunity to supplement the typical troubleshooting avenues such as the Oracle Knowledgebase and Oracle Forums with more pinpointed information about specific errors as they are encountered. Beware, the information found in this blog is for informational purposes only and comes without any warranty or guarantee of accuracy.

EPMVirt: Create your own Oracle Hyperion Virtual Environment:

Thursday, December 1, 2016

Keep Your Hyperion Platform Secure by Patching WebLogic

One of the Hyperion Administration tasks often overlooked is the need to patch the underlying components such as WebLogic. If you subscribe to the Oracle security vulnerabilities, you will find frequent critical patch vulnerabilities released.

For instance, the October CPU release link is:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Searching for WebLogic will bring up a list of vulnerabilities addressed in this CPU cycle.

If you are curious you can search on the CVE number to get more details.

For instance,
CVE 2015-7501 is part of a bug in apache-commons library bundled inside WebLogic (and JBoss, etc).
https://access.redhat.com/security/vulnerabilities/2059393

Looking back at the CPU article under WebLogic:

Following the link to the Oracle Support Note will require an Oracle Support Login. Once logged in, you can find the suggested patch:
WebLogic Server 10.3.6.0 home PSU 10.3.6.0.161018 Patch 23743997

It is always important to read the README file and all instructions that go along with the patch. Let's take a look at a typical example. Most often the process is twofold:
   1) uninstall any old patches
   2) apply the new patch using the bsu command (in Weblogic 10.3.x)

Some useful snippets from the README:
Oracle WebLogic Server Patch Set Update 10.3.6.0.161018 README
========================================================= This README provides information about how to apply Oracle WebLogic Server
Patch Set Update 10.3.6.0.161018. It also provides information about reverting to
the original version. Released: Oct, 2016 Smart Update Details of Oracle WebLogic Server Patch Set Update 10.3.6.0.161018
-------------------------------------------------------------------------- PATCH_ID - K25M
Patch number - 23743997

Preparing to Install Oracle WebLogic Server Patch Set Update 10.3.6.0.161018
----------------------------------------------------------------------- - WebLogic Server Patch Set Update (PSU) can be applied on a per-domain basis
(or on a more fine-grained basis), Oracle recommends that PSU be applied on an installation-wide basis.
PSU applied to a WebLogic Server installation using this recommended practice
affect all domains and servers sharing that installation.
- Login as same "user" with which the component being patched is installed.
- Stop all WebLogic servers.
- Remove any previously applied WebLogic Server Patch Set Update and associated overlay patches

Installing Oracle WebLogic Server Patch Set Update 10.3.6.0.161018-------------------------------------------------------------
 - unzip p23743997_1036_Generic.zip to {MW_HOME}/utils/bsu/cache_dir or any local directory      Note: You must make sure that the target directory for unzip has required write and executable permissions          for "user" with which the component being patched is installed.
 - Navigate to the {MW_HOME}/utils/bsu directory. - Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
   Where, WL_HOME is the path of the WebLogic home
   Reference: BSU Command line interface              http://docs.oracle.com/cd/E14759_01/doc.32/e14143/commands.htm


To verify the installed patch:
b) The following command is a simple way to determine the application of WebLogic Server PSU.
  $ . $WL_HOME/server/bin/setWLSEnv.sh 
  $ java weblogic.version
In the following example output, 10.3.6.0.161018 is the installed WebLogic Server PSU.
      WebLogic Server 10.3.6.0.161018 PSU Patch for BUG23743997

Translating this into actual commands:
cd Oracle\Middleware\utils\bsu\
bsu.cmd -remove -prod_dir=Oracle\Middleware\wlserver_10.3 -patchlist=UIAL
Checking for conflicts....
No conflict(s) detected
Removing Patch ID: UIAL..
Result: Success
bsu.cmd -install -prod_dir=\Oracle\Middleware\wlserver_10.3 -patch_download_dir=\Oracle\Mid
dleware\utils\bsu\cache_dir -patchlist=K25M

Checking for conflicts....
No conflict(s) detected
Installing Patch ID: K25M..
Result: Success
Testing the patch...
Oracle\Middleware\wlserver_10.3\server\bin\setWLSEnv.cmd

CLASSPATH=....
PATH=...
Your environment has been set.
 >java weblogic.version
WebLogic Server 10.3.6.0.161018 PSU Patch for BUG23743997 TUE AUG 30 18:34:42 IST 2016
WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050
Use 'weblogic.version -verbose' to get subsystem information
Use 'weblogic.utils.Versions' to get version information for all modules
Success! The 10.3.6.0.161018 version matches that of the README.

By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)