IT security today is a constant game of staying ahead of those who chose to hunt down and exploit any vulnerability that exists. Security teams cannot afford to let their guard down because as systems get more versatile, and complicated, the chances of the existence of vulnerabilities also increases. In most case, one way to stay ahead is to be current on all security patches that the vendor issues for their products. While it may not be possible to make a site 100% secure, it is logical (as Spock would say) to update the product codebase to defeat known exploits, allowing the solution to stay secure at least a little while longer.
In a previous post, we described the process prescribed by Oracle to patch WebLogic Server (WLS or OWLS) for the Apache Struts vulnerability that impacted most major websites on the internet. Since WLS forms the foundation for Oracle EPM (Hyperion) and Analytics (Oracle BI Enterprise Edition) products, this was important to most, if not all, of our clients. Since then Oracle has released Critical Patch Updates (CPUs) that included this fix, such as the latest ones released in February (27395085 – GFWX) and April (27453773 – 1PIK) 2018.
However, it has now come to light that the latest fixes do not necessarily prevent hackers from exploiting the vulnerability. While Oracle has not yet responded to this, as of this writing, one may begin to question the need to apply these patches and chose to hold off on it. Keep in mind that this patch fixes more than just this vulnerability, and any fix that Oracle releases will most likely be applied over this fix. This will be more likely the case if Oracle choses to issue an emergency Patch Set Exception (PSE) (one-off patches to resolve an emergency, until the fix can be rolled into the Patch Set Update (PSU) released as per regular release cycles).
As a result, our strong recommendation is to keep current with the patches, even if they don’t completely address this issue yet.
Need help with upgrading and patching your Oracle environment? Performance Architects offers a full suite of product upgrade, patching and production support services. Contact us at firstname.lastname@example.org for more information.