I don't normally write about Microsoft vulnerabilities and related patches, but this one is important for all Oracle EPM / Hyperion instances... whether on-premises or in Oracle's EPM SaaS Cloud.
A little background. Vulnerabilities are ranked on a score from 0.1 to 10.0. What I'm about to discuss here is a 10.0, which is the most dangerous score.
The official designation of this particular critter is "CVE-2020-1472". Independent security research firms, such as Secura, refer to it as ZeroLogon.
Microsoft issued a patch for it in August 2020's "Patch Tuesday", but the extent of the problem wasn't fully known at the time.
If you want to read the gory details, you can check out Secura's white paper on the subject. I'll summarize in brief:
The vulnerability allows anyone having access to the network to become a Windows Domain Administrator. You don't even need network credentials if you stroll into the office and plug a device into an Ethernet port. Remote workers, of course, often have the access required. The point being that once the attacker runs the exploit and elevates himself to a domain admin, or creates a new domain admin account with a known password, he can cause all sorts of mischief with far-reaching consequences throughout the organization.
Now let's talk about EPM, starting with on-premises and then moving on to Oracle's EPM SaaS Cloud (PBC, FCC, etc.).
Microsoft Active Directory ("MSAD") is ubiquitous within the on-premises EPM space. The vast majority of EPM implementations I've supported, installed, or health checked use MSAD for end-user authentication. Hyperion Shared Services and the various EPM components connect to a Windows Domain Controller in order to authenticate end-user login attempts.
Disclaimer: the following paragraph contains theoretical conjecture.
We won't know the effects for sure until an non-patched system is
Our fictional attacker who exploits ZeroLogon can completely break this. Worse, the attacker could kick the EPM servers out of the domain, making it hard to hop on the EPM servers and troubleshoot why nobody can login.
I have worked with a few customers who use alternatives to Microsoft for end-user authentication, such as Novell eDirectory or other LDAP solutions. By and large, though, there can be a Microsoft Windows Domain lurking somewhere within the network.
They key takeaway here is EPM system stakeholders should inquire with the IT department and confirm the Domain Controllers have had the August 2020 Microsoft patches applied. I've noticed it is a mixed bag "out in the wild"; some organizations patch immediately, while others lag behind... especially during financial Quarter-End or Year-End change freezes.
Now let's talk Cloud briefly.
Oracle's EPM SaaS Cloud products for Consolidation, Planning, Account Rec, etc. all share one thing in common: EPMAutomate.
EPMAutomate is the Cloud's command-line utility used for a variety of tasks: upload data to the Cloud, run it through Data Management, fire off Calculation Rules, download reports and audit logs, and more. EPMAutomate resides on a server under the customer's control, either on-premises or in a hosted cloud such as AWS, Azure, OCI, etc. The vast majority of EPMAutomate implementations I've seen happen to sit on MS Windows servers. (It can be hosted on Linux, and sometimes I witness that variation)
If EPMAutomate is hosted on MS Windows, and that machine happens to be joined to the MS Windows Domain... well, there's a possibility your EPM Cloud automation might stop working someday if an intruder bricks your network account or kicks the EPMAutomate host server out of the domain. (Again, I use the word possibility until we see the fallout when it eventually happens)
2020 has been an awful year thus far, so please do your part not to make it... awful-er. Insist your network domain controllers get patched for "CVE-2020-1472", included in August 2020 Microsoft Patch Tuesday.
Hat tip: Penetration Tester Dustin Heywood