Monday, September 25, 2017

Apply CVE-2017-9805 today - updated top of post

Update:  Please scroll through the comments and review the comment posted by user cjratliff on October 4, 2017 at 3:02 PM.  He has posted a tip about Oracle Knowledge Base article # 2255054.1 and a response from Oracle Support that I have yet to receive on my SR.  Ugh!!!  This stuff is a nightmare to navigate. Thank you, cjratliff .
There was a bit of buzz on the Internet a few weeks ago concerning a zero-day exploit discovered within Apache Struts 2.  I did some sleuthing around in my EPM on-premises lab and found evidence of Struts within several WebLogic processes (Calculation Manager, EPM Foundation, and more).

This past Friday, September 22, Oracle issued a Security Alert they've named CVE-2017-9805.  This includes a fix for Apache Struts 2 within WebLogic 10.3.6, which every EPM and system on the face of the planet uses behind the scenes.

The patch number to download for WebLogic 10.3.6 is 26835212.

The procedure to apply this patch is different from how we normally apply EPM patches.  On each server in the environment where you have a folder named \Oracle\Middleware\wlserver_10.3, you will want to edit this file:



Modify the MEM_ARGS line to be as so:

set MEM_ARGS=-Xms2048m -Xmx2048m

If you don't do this, the patch utility runs for a long time and then fails with an OutOfMemory exception error.

Next, copy the unzipped contents of the patch into this folder:


You would then shutdown EPM web services and execute the bsu script you edited earlier, and examine the output.

I  would take things 1 step further and blow away the /cache and /tmp folders for each WebLogic Managed Server underneath \Oracle\Middleware\user_projects\domains\EPMSystem\servers

Stay safe out there!

Update: I recommend using the command-line patch interface rather than the graphical interface. On a 4.0GHz machine with solid state disk, it takes 12 minutes just for the GUI to render. Another 12 minutes to process the patch after you are given the opportunity to click. With the command-line interface, you can eliminate the first 12 minutes.

Also, this patch has a conflict with the April 2017 critical patch "RVBS". RVBS needs to be rolled back first. This adds another 12 minutes.