Tag Archives: Obiee
Oracle Business Intelligence (OBI) Bundle Patch 12.2.1.0.161018 is Available
|
|||
|
|||
|
This is a Critical Patch Update (CPU) patch. The patch is cumulative and includes previous bundle + CPU patches. 
Prior to proceeding with this OBIEE Bundle Patch implementation and related downloads refer to the Readme file for important information. It is important to verify that the requirements, installation instructions; support paths; notes; etc for this patch are met as outlined within the Readme file.
The Readme file is available from the Patches & Updates download screen. |
|||
|
|
|||
|
To locate the latest available Patch information visit the Knowledge Article: OBIEE 12c: Required and Recommended Bundle Patches and Patch Sets For an introduction to OBIEE Suite Bundle Patches, which includes information on the bundle patch lifecycle, availability, and version names, refer to Knowledge Article: OBIEE Suite Bundle Patches In addition, you may want to familiarize yourself a new document that has been created:
Patch Set Update and Critical Patch Update October 2016 Availability |
|||
|
To share your experience about installing this patch ... In the MOS | Patches & Updates screen for OBIEE The My Oracle Support Community " OBIEE (MOSC) " is the ideal first stop to seek & find product specific answers:
|
|||
Oracle Business Intelligence (OBI) Bundle Patch 12.2.1.1.161018 is Available
|
|||
|
|||
|
This is a Critical Patch Update (CPU) patch. The patch is cumulative and includes previous bundle + CPU patches.
Prior to proceeding with this OBIEE Bundle Patch implementation and related downloads refer to the Readme file for important information. It is important to verify that the requirements, installation instructions; support paths; notes; etc for this patch are met as outlined within the Readme file.
The Readme file is available from the Patches & Updates download screen. |
|||
|
|
|||
|
To locate the latest available Patch information visit the Knowledge Article: OBIEE 12c: Required and Recommended Bundle Patches and Patch Sets For an introduction to OBIEE Suite Bundle Patches, which includes information on the bundle patch lifecycle, availability, and version names, refer to Knowledge Article: OBIEE Suite Bundle Patches In addition, you may want to familiarize yourself a new document that has been created:
Patch Set Update and Critical Patch Update October 2016 Availability |
|||
|
To share your experience about installing this patch ... In the MOS | Patches & Updates screen for OBIEE The My Oracle Support Community " OBIEE (MOSC) " is the ideal first stop to seek & find product specific answers:
|
|||
Oracle Business Intelligence Enterprise Edition Suite Bundle Patch 11.1.1.9.161018 is Available
|
|||
|
|||
|
This is a Critical Patch Update (CPU). It is cumulative and includes all prior bundle and CPU patches. If you have not applied libOVD (Patch 21895214) to the oracle_common home, then you need to apply it for new installations. If you have applied the Patch, then it is not necessary to apply it again. The instructions to apply the patches are contained in the readme file for Patch 24668000 ; which is the master patch, consisting of individual zip files:
The single patches are not available separately and should all be applied according to the readme NOTE: Refer to the readme for FULL list of instructions on how to install this bundle patch. Prior to proceeding with this OBIEE Bundle Patch implementation and related downloads refer to the Readme file for important information. It is important to verify that the requirements and support paths for this patch are met as outlined within the Readme file.
The Readme file is available from the Patches & Updates download screen. |
|||
|
|
|||
|
To locate the latest available Patch information visit the Knowledge Article: OBIEE 11g: Required and Recommended Bundle Patches and Patch Sets For an introduction to OBIEE Suite Bundle Patches, which includes information on the bundle patch lifecycle, availability, and version names, refer to Knowledge Article: OBIEE Suite Bundle Patches In addition, you should familiarize yourself with this new document: Patch Set Update and Critical Patch Update October 2016 Availability
|
|||
|
To share your experience about installing this patch ... In the MOS | Patches & Updates screen for OBIEE The My Oracle Support Community " OBIEE (MOSC) " is the ideal first stop to seek & find product specific answers:
|
|||
OBIEE, Big Data Discovery, and ODI security updates – October 2016
Oracle release their "Critical Patch Update" (CPU) notices every quarter, bundling together details of vulnerabilities and associated patches across their entire product line. October's was released yesterday, with a few entries of note in the analytics & DI space.
Each vulnerability is given a unique identifier (CVE-xxxx-xxxx) and a score out of ten. The scoring uses a common industry-standard scale on the basis of how easy it is to exploit, and what is compromised (availability, data, etc). Ten is the worst, and I would crudely paraphrase it as generally meaning that someone can wander in, steal your data, change your data, and take your system offline. Lower than that and it might be that it requires extensive skills to exploit, or the impact be much lower.
A final point to note is that the security patches that are released are not available for old versions of the software. For example, if you're on OBIEE 11.1.1.6 or earlier, and it is affected by the vulnerability listed below (which I would assume it is), there is no security patch. So even if you don't want to update your version for the latest functionality, staying within support is an important thing to do and plan for. You can see the dates for OBIEE versions and when they go out of "Error Correction Support" here.
If you want more information on how Rittman Mead can help you plan, test, and carry out patching or upgrades, please do get in touch!
The vulnerabilities listed below are not a comprehensive view of an Oracle-based analytics/DI estate - things like the database itself, along with Web Logic Server, should also be checked. See the CPU itself for full details.
Big Data Discovery (BDD)
- CVE-2015-3253
- Affected versions: 1.1.1, 1.1.3, 1.2.0
- Base score: 9.8
- Action: upgrade to the latest version, 1.3.2. Note that the upgrade packages are on Oracle Software Delivery Cloud (née eDelivery)
OBIEE
- CVE-2016-2107
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
- Base score: 5.9
- Action: apply bundle patch 161018 for your particular version (see MoS doc 2171485.1 for details)
BI Publisher
- CVE-2016-3473
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
- Base score 7.7
- Action: apply patch per MoS doc 2171485.1
ODI
-
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
- Base score: 5.7
- The
getInfo()ODI API could be used to expose passwords for data server connections. - More details in MoS doc 2188855.1
-
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
- Base score: 3.1
- This vulnerability documents the potential that a developer could take the master repository schema credentials and use them to grant themselves SUPERVISOR access. Even using the secure wallet, the credentials are deobfuscated on the local machine and therefore a malicious developer could still access the credentials in theory.
- More details in MoS doc 2188871.1
OBIEE, Big Data Discovery, and ODI security updates – October 2016
Oracle release their "Critical Patch Update" (CPU) notices every quarter, bundling together details of vulnerabilities and associated patches across their entire product line. October's was released yesterday, with a few entries of note in the analytics & DI space.
Each vulnerability is given a unique identifier (CVE-xxxx-xxxx) and a score out of ten. The scoring uses a common industry-standard scale on the basis of how easy it is to exploit, and what is compromised (availability, data, etc). Ten is the worst, and I would crudely paraphrase it as generally meaning that someone can wander in, steal your data, change your data, and take your system offline. Lower than that and it might be that it requires extensive skills to exploit, or the impact be much lower.
A final point to note is that the security patches that are released are not available for old versions of the software. For example, if you're on OBIEE 11.1.1.6 or earlier, and it is affected by the vulnerability listed below (which I would assume it is), there is no security patch. So even if you don't want to update your version for the latest functionality, staying within support is an important thing to do and plan for. You can see the dates for OBIEE versions and when they go out of "Error Correction Support" here.
If you want more information on how Rittman Mead can help you plan, test, and carry out patching or upgrades, please do get in touch!
The vulnerabilities listed below are not a comprehensive view of an Oracle-based analytics/DI estate - things like the database itself, along with Web Logic Server, should also be checked. See the CPU itself for full details.
Big Data Discovery (BDD)
- CVE-2015-3253
- Affected versions: 1.1.1, 1.1.3, 1.2.0
- Base score: 9.8
- Action: upgrade to the latest version, 1.3.2. Note that the upgrade packages are on Oracle Software Delivery Cloud (née eDelivery)
OBIEE
- CVE-2016-2107
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
- Base score: 5.9
- Action: apply bundle patch 161018 for your particular version (see MoS doc 2171485.1 for details)
BI Publisher
- CVE-2016-3473
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
- Base score 7.7
- Action: apply patch per MoS doc 2171485.1
ODI
-
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
- Base score: 5.7
- The
getInfo()ODI API could be used to expose passwords for data server connections. - More details in MoS doc 2188855.1
-
- Affected versions: 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
- Base score: 3.1
- This vulnerability documents the potential that a developer could take the master repository schema credentials and use them to grant themselves SUPERVISOR access. Even using the secure wallet, the credentials are deobfuscated on the local machine and therefore a malicious developer could still access the credentials in theory.
- More details in MoS doc 2188871.1
