Monday, September 21, 2020

If you could be Dave Shay for a day...

No, I don't wish this on anyone.

But in seriousness, suppose you could set my speaking agenda. What would you want me to talk about?

ODTUG is looking for abstracts. Rather than throwing pasta at the wall, how about stuff you care about?

I only ask for no RCU.

Thursday, September 17, 2020

ZeroLogon Vulnerability and EPM On-Premises AND Cloud

I don't normally write about Microsoft vulnerabilities and related patches, but this one is important for all Oracle EPM / Hyperion instances... whether on-premises or in Oracle's EPM SaaS Cloud.

A little background.  Vulnerabilities are ranked on a score from 0.1 to 10.0.  What I'm about to discuss here is a 10.0, which is the most dangerous score.

The official designation of this particular critter is "CVE-2020-1472".  Independent security research firms, such as Secura, refer to it as ZeroLogon.

Microsoft issued a patch for it in August 2020's "Patch Tuesday", but the extent of the problem wasn't fully known at the time.

If you want to read the gory details, you can check out Secura's white paper on the subject.  I'll summarize in brief:

The vulnerability allows anyone having access to the network to become a Windows Domain Administrator.  You don't even need network credentials if you stroll into the office and plug a device into an Ethernet port.  Remote workers, of course, often have the access required. The point being that once the attacker runs the exploit and elevates himself to a domain admin, or creates a new domain admin account with a known password, he can cause all sorts of mischief with far-reaching consequences throughout the organization.

Now let's talk about EPM, starting with on-premises and then moving on to Oracle's EPM SaaS Cloud (PBC, FCC, etc.).

Microsoft Active Directory ("MSAD") is ubiquitous within the on-premises EPM space.  The vast majority of EPM implementations I've supported, installed, or health checked use MSAD for end-user authentication.  Hyperion Shared Services and the various EPM components connect to a Windows Domain Controller in order to authenticate end-user login attempts.

Disclaimer: the following paragraph contains theoretical conjecture.  We won't know the effects for sure until an non-patched system is attacked. 

Our fictional attacker who exploits ZeroLogon can completely break this.  Worse, the attacker could kick the EPM servers out of the domain, making it hard to hop on the EPM servers and troubleshoot why nobody can login.

I have worked with a few customers who use alternatives to Microsoft for end-user authentication, such as Novell eDirectory or other LDAP solutions.  By and large, though, there can be a Microsoft Windows Domain lurking somewhere within the network.

They key takeaway here is EPM system stakeholders should inquire with the IT department and confirm the Domain Controllers have had the August 2020 Microsoft patches applied.  I've noticed it is a mixed bag "out in the wild"; some organizations patch immediately, while others lag behind... especially during financial Quarter-End or Year-End change freezes.

Now let's talk Cloud briefly.

Oracle's EPM SaaS Cloud products for Consolidation, Planning, Account Rec, etc. all share one thing in common: EPMAutomate.

EPMAutomate is the Cloud's command-line utility used for a variety of tasks: upload data to the Cloud, run it through Data Management, fire off Calculation Rules, download reports and audit logs, and more.  EPMAutomate resides on a server under the customer's control, either on-premises or in a hosted cloud such as AWS, Azure, OCI, etc.  The vast majority of EPMAutomate implementations I've seen happen to sit on MS Windows servers.  (It can be hosted on Linux, and sometimes I witness that variation)

If EPMAutomate is hosted on MS Windows, and that machine happens to be joined to the MS Windows Domain... well, there's a possibility your EPM Cloud automation might stop working someday if an intruder bricks your network account or kicks the EPMAutomate host server out of the domain.  (Again, I use the word possibility until we see the fallout when it eventually happens)

2020 has been an awful year thus far, so please do your part not to make it... awful-er.  Insist your network domain controllers get patched for "CVE-2020-1472", included in August 2020 Microsoft Patch Tuesday.

Hat tip: Penetration Tester Dustin Heywood

Adobe Flash Player EOL and On-Premises EPM 11.1.2.x.

If you are already live on Oracle EPM / Hyperion 11.2.x (you brave soul!) or in the Oracle EPM SaaS cloud, this post isn't for you.

EPM through both have dependencies upon Adobe Flash Player on the end-user side for Hyperion Calculation Manager and Hyperion Planning.  Hyperion Financial Close / Account Rec in also uses Flash.

Adobe announced earlier that End Of Life for Flash Player is December 31, 2020.  Not far away now!

So let's review the scenarios for on-premises EPM:

  • For Hyperion Planning, patch 31365862 – takes care of this.
  • For Hyperion Calculation Manager, patch 28557058 – takes care of this.
  • For and older, there is no solution other than upgrading or moving to the cloud.
  • For and higher, the solution is already baked into the base release and there is no need to patch.
What does it mean if you don't patch before the deadline, or you're on an older release and can't patch at all?

Adobe has stated very clearly that the ability to download Flash Player will be removed once the support deadline of Dec 31, 2020 has passed.  Neither the latest version nor older versions will be available to download.  Furthermore, no new security patches will be issued.

I haven't seen this in writing, but expect Firefox to quickly flag the Flash Player extension as vulnerable in January 2021.  I wouldn't be surprised at all if the extension gets disabled without the option to re-enable it.

Adobe has further stated that a Flash Player installer downloaded from any 3rd party site will be considered "Unauthorized".

If you're on and haven't applied the patches I mentioned above, my recommendation would be to patch and regression test now before you enter a fiscal 2020 4th Quarter change freeze.

There's an added benefit if you're working directly on a server for testing purposes. Flash Player often isn't installed on MS Windows Server 2012 and is hard to get.  The latest download page on Adobe's website flags your browser as coming from Windows 8 and shows a Knowledge Base article instead of letting you download the installer.  If you need to get into the Calculation Manager Rules or Variable designers, the browser wants to invoke Flash Player and the page hangs.  This exact issue hit me yesterday, which led me down the road of investigating these patches.

(A quick reminder to carefully read the patch READMEs for the 2 patches I listed.  Planning contains a new optional application property, some files need to be copied over to the Financial Reporting server, and the CalcMgr patch needs to be installed on multiple machines in a typical distributed environment)