What’s New in Oracle’s Critical Patch Advisory Notice

 Todd Thomsen, Manager – Client Success Managers

On Tuesday, October 15th, 2019 Oracle released their latest quarterly Critical Patch Update (CPU) Advisory notice for JD Edwards EnterpriseOne For this quarter, there are several items that may have a direct effect on you and your JD Edwards solution.  Items noted below are only the major, documented vulnerabilities.  In many cases others exist.  GSI works with our clients to apply the latest patch set for each of these items that affect your JD Edwards experience.

Change Assistant CVE-2017-5645 (risk rate of 9.8) is an older Common Vulnerabilities and Exposures (CVE) document but is newly introduced as affecting the JD Edwards EnterpriseOne Change Assistant.  This CVE deals with vulnerabilities in Apache Log4j.  This vulnerability, as it relates to JD Edwards is tied to the Change Assistant.  The version that is in place can be checked by launching the Change Assistant, going into the “Help” menu and choosing “About”.  If the version is older than 4.0.1.1 the recommendation is to update the Change Assistance to the latest release.

JD Edwards EnterpriseOne Tools v9.2 has a series of CVE documents (CVE-2017-5645, CVE-2018-29362, CVE-2019-1559) that address “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools.”  These have all been identified in Tools Release (TR) 9.2.3.3 or older and are patched in TR 9.2.3.4 and newer.

JAVA 8 Update 221 has several CVEs (risk rate 6.8) and been identified to have a vulnerability that can be exploited by using APIs in the specified component (i.e. through a web service which supplies data to the APIs).  Oracle has patched this vulnerability in JAVA 8 Update 231.

  • Note: If both JAVA 8 and JAVA 7 are present on a server and you are using Tools Release 9.2.0.0 or newer, GSI recommends that you redirect all JD Edwards servers to JAVA 8 and remove JAVA 7

JAVA 7 Update 231 has several CVEs (risk rate 6.8) and been identified to have the same vulnerability as described above for JAVA 8 Update 221.  Oracle has patched this vulnerability in JAVA 7 Update 241.

  • Note: If you are at Tools Release 9.1.5.10 or older, GSI recommends that you stay with JAVA 7

WebLogic Server 12.2.1.3.0, 12.1.3.0, and 10.3.6.0 have all been identified in CVE-2019-2891 (risk rate 8.1) with, “Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.” and in CVE 2019-2890 (risk rate 7.2) with, “Easily exploitable vulnerability allows high privileged attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.”

JDeveloper and ADF 12.2.1.3.0, 12.1.3.0, 11.1.2.4.0, and 11.1.1.9.0 have all been identified in CVE-2019-2904 (risk rate 9.8) as having “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF.”  All of these releases have also been identified in CVE-2019-11358 (risk rate 6.1) to note that “jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.”

BI Publisher (formerly XML Publisher) 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0 (risk rate 8.2) have been identified in CVE-2019-2906 with, “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher (formerly XML Publisher) accessible data as well as unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data.”  Patch sets for BI Publisher are expected to be available on October 31st, 2019.

Here is some additional information, as it relates to WebLogic and the lifetime support policy release by Oracle effective September 2019:

Product/ReleasePremier Support Ends/EndedExtended Support Ends/Ended
WebLogic Server 10.3.xDecember 2018December 2021
WebLogic Server 12.1.xDecember 2017December 2019
WebLogic Server 12.2.xAugust 2022August 2025

In order to obtain and apply the latest patch set for each WebLogic release it is necessary to be at the latest update for each WebLogic release.

  • WebLogic Server 12.2.1.3.0 is the latest update needed in order to get the newest patch set for 12.2.x (Certified with TR 9.2.2.0 or newer)
  • WebLogic Server 12.1.3.0 is the latest update needed in order to get the newest patch set for 12.1.x (Certified with TR 9.1.5.0 or newer)
    • Additional Note – Q3 2019 is the last quarter in which patches will be provided for WebLogic Server 12.1.x
  • WebLogic Server 10.3.6.0 is the latest update needed in order to get the newest patch set for 10.3.x (Certified with TR 9.1.3.x through 9.2.2.x)

To find about GSI’s products or services including JDE project consulting services, managed services, upgrade services, cloud services, and more, call us at 855-GSI-4ERP or click on CONTACT US to send us a request for more information.

Meet the Author

Todd Thomsen