Tag Archives: EPM On Premise

ZeroLogon Vulnerability and EPM On-Premises and Cloud

I don’t normally write about Microsoft vulnerabilities and related patches, but this one is important for all Oracle EPM/Hyperion instances…whether on-premises or in Oracle’s EPM SaaS Cloud.

A little background: Vulnerabilities are ranked on a score from 0.1 to 10.0. What I’m about to discuss here is a 10.0, which is the most dangerous score.

The official designation of this particular critter is “CVE-2020-1472”. Independent security research firms, such as Secura, refer to it as ZeroLogon. Microsoft issued a patch for it in August 2020’s “Patch Tuesday”, but the extent of the problem wasn’t fully known at the time. If you want to read the gory details, you can check out Secura’s white paper on the subject. I’ll summarize, in brief:

The vulnerability allows anyone having access to the network to become a Windows Domain Administrator. You don’t even need network credentials if you stroll into the office and plug a device into an Ethernet port. Remote workers, of course, often have the access required. The point being that once the attacker runs the exploit and elevates himself to a domain admin or creates a new domain admin account with a known password, he can cause all sorts of mischief with far-reaching consequences throughout the organization.

Now let’s talk about EPM, starting with on-premises and then moving on to Oracle’s EPM SaaS Cloud (PBC, FCC, etc).

Microsoft Active Directory (“MSAD”) is ubiquitous within the on-premises EPM space. The vast majority of EPM implementations I’ve supported, installed, or health-checked use MSAD for end-user authentication. Hyperion Shared Services and the various EPM components connect to a Windows Domain Controller in order to authenticate end-user login attempts.

Disclaimer: the following paragraph contains theoretical conjecture. We won’t know the effects for sure until an non-patched system is attacked. 

Our fictional attacker, who exploits ZeroLogon, can completely break this. Worse, the attacker could kick the EPM servers out of the domain, making it hard to hop on the EPM servers and troubleshoot why nobody can login.

I have worked with a few customers who use alternatives to Microsoft for end-user authentication, such as Novell eDirectory or other LDAP solutions. By and large, though, there can be a Microsoft Windows Domain lurking somewhere within the network.

They key takeaway here is that EPM system stakeholders should inquire with the IT department and confirm the Domain Controllers have had the August 2020 Microsoft patches applied. I’ve noticed it is a mixed bag “out in the wild”; some organizations patch immediately, while others lag behind…especially during financial Quarter-End or Year-End change freezes.

Now let’s talk Cloud briefly.

Oracle’s EPM SaaS Cloud products for Consolidation, Planning, Account Rec, etc. all share one thing in common: EPMAutomate.

EPMAutomate is the Cloud’s command-line utility used for a variety of tasks: upload data to the Cloud, run it through Data Management, fire off Calculation Rules, download reports and audit logs, and more. EPMAutomate resides on a server under the customer’s control, either on-premises or in a hosted cloud such as AWS, Azure, OCI, etc. The vast majority of EPMAutomate implementations I’ve seen happen to sit on MS Windows servers. (It can be hosted on Linux, and sometimes I witness that variation.)

If EPMAutomate is hosted on MS Windows, and that machine happens to be joined to the MS Windows Domain…well, there’s a possibility your EPM Cloud automation might stop working someday if an intruder bricks your network account or kicks the EPMAutomate host server out of the domain. (Again, I use the word possibility until we see the fallout when it eventually happens.)

2020 has been an awful year thus far, so please do your part not to make it…awful-er. Insist your network domain controllers get patched for “CVE-2020-1472”, included in August 2020 Microsoft Patch Tuesday.

That’s it for this post, but if you’re looking for more reading on EPM 11.2, be sure to check out my white paper, “It’s the Eleventh Hour for Hyperion 11.1.2.4 — Here’s What to Do.”

Cross-posted from EPM On-Prem Pro. Read the original post here.

 

The post ZeroLogon Vulnerability and EPM On-Premises and Cloud appeared first on Datavail.

Essbase Patch Set Update 11.1.2.4.033 is Available

The Hyperion Product Management recently advised the release of Patch Set Updates (PSU) for Oracle Hyperion Essbase 11.1.2.4.x.

These PSU downloads are available from the  My Oracle Support > Patches & Updates section.

Hyperion Essbase Server 11.1.2.4.033

Hyperion Essbase Client 11.1.2.4.033

Hyperion Analytic Provider Services 11.1.2.4.033

 

RECOMMENDATIONS:

Caution: Oracle recommends using the same version of all Essbase portfolio products (Essbase, Essbase Administration Services, Hyperion Provider Services, and Essbase Studio) and components (server, client, runtime client, API, and JAPI). When only some Essbase portfolio products are included in a patch release, the last released versions of the products that are not included in the patch are supported.

Essbase Administration Services 11.1.2.4.031, Provider Services 11.1.2.4.033, and Essbase Studio 11.1.2.4.031 are supported for use with Essbase 11.1.2.4.033.

Recommendation: After you apply a patch within the same release codeline, Oracle recommends as a best practice that you export the data from your databases, clear the data from the databases, and then reload the data.

README FILE:
Refer to the Readme files prior to proceeding with these PSU implementations for important information that includes the supported paths per component, along with a full list of the defects fixed, additional support information, prerequisites, details for applying patch and troubleshooting FAQ's.

It is important to ensure that the requirements and support paths to this patch are met as outlined within the Readme file.
The Readme file is available from the Patches & Updates download screen for each of the Hyperion Essbase components.

Why not share your experience about installing this patch ...

In the MOS | Patches & Updates screen for the relevant patch, simply click the "Start a Discussion" and submit your review.

The patch install reviews and other patch related information is available within the My Oracle Support Communities.

Visit the Oracle Hyperion EPM sub-space: Hyperion Patch Reviews
 

For questions specific to Hyperion Essbase ...

The My Oracle Support Community "Hyperion Essbase" is the ideal first stop to seek & find product specific answers.

 

To locate the latest Essbase Patch Sets and Patch Set Updates at anytime visit the My Oracle Support (MOS) Knowledge Article:

Available Patch Sets and Patch Set Updates for Oracle Hyperion Essbase Doc ID 1396084.1

 

DOCUMENTATION:

Oracle Help Center provides the Enterprise Performance System (EPM) 11.1.2.4 documentation, with the guides including Deployment & Installation, Best Practices, Accessibility Guides and more.

    The Hyperion Essbase 11.1.2.4 product specific guides are located within Oracle Applications - Enterprise Performance Management tab:

    Oracle Help Center | Oracle EPM System Documentation

Oracle Hyperion Financial Reporting 11.1.2.4.711 is Available

Hyperion Product Management have advised the release of a Patch Set Update (PSU) for Oracle Hyperion Financial Reporting 11.1.2.4.x.
Hyperion Financial Reporting PSU 11.1.2.4.711
Patch 29712951

This PSU is available from the My Oracle Support > Patches & Updates section.

This is a patch set update (PSU). This patch set update is a partial installation. It replaces files in the existing installation, and does not require a full installation.This patch set update is cumulative and does include fixes from previous patches.

This PSU can be applied to Financial Reporting (FR) releases:
  • 11.1.2.4.000
  • 11.1.2.4.003 (PSU 20785710)
  • 11.1.2.4.004 (PSU 21479554)
  • 11.1.2.4.005 (PSU 22018419)
  • 11.1.2.4.006 (PSU 22462544)
  • 11.1.2.4.700
  • 11.1.2.4.701 (PSU 23009997)
  • 11.1.2.4.702 (PSU 23557946)
  • 11.1.2.4.703 (PSU 24311587)
  • 11.1.2.4.704 (PSU 24466619)
  • 11.1.2.4.705 (PSU 25360176)
  • 11.1.2.4.706 (PSU 25852714)
  • 11.1.2.4.707 (PSU 26386614)
  • 11.1.2.4.708 (PSU 26822490)
  • 11.1.2.4.709 (PSU 27290291)
  • 11.1.2.4.710 (PSU 28508169)

Defects Fixed:

  • Refer to the readme for the full list

Ensure to review the Readme file prior proceeding with this PSU implementation for important information that includes prerequisites, details for applying patch, troubleshooting FAQ's and additional support information.

The Readme file is available from the Patches & Updates download screen.

Share your experience about installing this patch ...

In the MOS | Patches & Updates screen for Oracle Hyperion FR Patch 29712951, click the "Start a Discussion" or "Reply to Discussion" and submit your review.

The patch install reviews and other patch related information is available within the My Oracle Support Communities. Visit the Oracle Hyperion EPM sub-space:

Hyperion Patch Reviews

For questions specific to Hyperion Financial Reporting ...

The My Oracle Support Community "Hyperion Reporting Products" is the ideal first stop to seek & find product specific answers:

 Hyperion Reporting Products

 

EPM Patch Set Updates – May 2019

The following are the Enterprise Performance Management (EPM) Patch Set Updates (PSU) released last month (May 2019).

The "Patch" ID links will access the patch directly for download from "My Oracle Support" (login required).

Hyperion Product  Link There were no posts this month.             Link

 

Oracle Smart View for Office  Link Oracle Smart View for Office 11.1.2.5.900 is available Link

 

Note:

  • Some patches listed may have been released a few days outside of the stated month.
  • Be sure to review the related Readme files available per Patch Set Update.
  • For the latest Enterprise Performance Management Patch Set Updates visit Oracle Hyperion EPM Products [ Doc ID 1400559.1 ]

To view the patches released over previous months visit the earlier Blog posts:

Oracle Smart View for Office 11.1.2.5.900 is available

Hyperion Product Management recently advised the release of a Patch Set Update (PSU) for Oracle Smart View for Office 11.1.2.5.x

Patch Set Update: 11.1.2.5.900 Oracle Smart View for Office Patch 29637209

 

This PSU download is available from the  My Oracle Support | Patches & Updates section.

This document includes important, late-breaking information about this release of Oracle Smart View for Office. Review the Readme thoroughly before installing Smart View.

About the New Features in this Release

This section includes new features in Release 11.1.2.5.900.

To review the list of new features from earlier releases, use the Cumulative Feature Overview tool. This tool enables you to identify the products you own and your current implementation release. With a single click, the tool quickly produces a customized report of new feature descriptions. This tool is available here.

 

New Features:

  • About the New Features in this Release
  • EPM Cloud Features
  • Oracle Analytics Cloud - Essbase Features
  • Essbase and Oracle Analytics Cloud - Essbase Features
  • Oracle Enterprise Performance Reporting Cloud 19.05 Features
  • New Health Check Option: Browser Emulation Mode
README:

Refer to the Readme files for information pertaining to the above requirements. The Readme file should also be consulted prior proceeding with the PSU implementation. This document contains important information that includes supported paths, implementing and configuration steps, list of new features and defects fixed, along with additional support information.

It is important to ensure that the requirements and support paths to this patch are met as outlined within the Readme file.

The Readme file is available from the Patches & Updates download screen.

More Information:
  • Available Patch Sets and Patch Set Updates for Oracle Hyperion Smart View for Office (Doc ID 2220997.1)
  • Smart View Support Matrix and Compatibility FAQ (Doc ID 1923582.1)