Monthly Archives: October 2017

Updating Oracle EPM (Hyperion) for Struts RCE Vulnerability

October 11, 2017

Author: Andy Tauro, Performance Architects

It is hard to not have heard of the Apache Struts vulnerability that affected major websites, including those of Equifax. When this happened, IT support teams scrambled to check their environments and to apply fixes as quickly as they could be found. Our customers running Oracle EPM (Hyperion) (as well as Oracle Business Intelligence Enterprise Edition or OBIEE) on-premise inquired about how to address this as well.

From what we can tell, certain Oracle EPM components use Struts via the WebLogic Application Server (WAS or WLS) 10.3.6 platform. While WAS 10.3.6 comes bundled with Struts 1.x & 2.x, it looks like Oracle EPM only uses Struts 1.x. This particular version of Struts has not been named in the vulnerability that caught the world by storm, Oracle released a fix for WebLogic that updates the version of Struts via a Smart Update (SU) patch.

The patch (26835212) updates the Struts version in WebLogic 10.3.6 to 1.3.9 and 2.3.34. We have applied this over the last security Patch Set Update (PSU) that Oracle released (25869650, in July 2017). To apply this, one would use the BSU utility that is available in the “Middleware Home” directory ({MW_HOME}/utils/bsu). The general steps for this are:

  1. Stop EPM services running
  2. Extract patch into the “{MW_HOME}/utils/bsu/cache_dir” directory
  3. From the location “{MW_HOME}/utils/bsu,” apply the patch as: “bsu.cmd/sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}” and patch ID for July 2017 PSU = B25A, for 25869650 = UZCY
  4. Delete “cache” and “tmp” directories for each WebLogic Managed Server that runs Oracle EPM services
    • These will be found in the location “{MW_HOME}/user_projects/domains/EPMSystem/servers”
  5. Restart Oracle EPM

One important note: “MW_HOME” equals “Middleware Home” and “WL_HOME” equals “WebLogic Home” (usually “{MW_HOME}/wlserver_10.3”).  Also, these steps apply primarily to Oracle EPM Version 11.1.2.4.

At this time, we have run basic tests on the various Hyperion modules and have not seen any issues. We are working with our clients to perform more thorough health checks, since every environment has some nuance that makes it unique and sometimes exposes an issue that was not thought about.

Are you thinking of applying this patch and have questions? Feel free to drop a note as we would love to hear from you and share notes on this.


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Oracle Essbase On-Premise versus Oracle Essbase Cloud Service

October 4, 2017

Author: Andrew Tauro, Performance Architects

By now you have most likely seen a lot of material (including posts on our blog) regarding how Essbase has moved to the cloud as Essbase Cloud Service (ESSCS), which is part of the new Oracle Analytics Cloud (OAC). You may still be wondering how the feature sets between the two versions of Essbase compare. The good news is that they compare very favorably.

Essbase Cloud Service offers the next generation of Essbase product functionality. It is deployed on WebLogic Application Server (WAS), with a Java-based Essbase Agent. This improves availability and monitoring capabilities via WAS, with most of the features of the old-school, C-based version of Essbase ported over.

The solutions are very similar, but also differ in some key areas. Similarities include:

  • Works with Smart View and other tools that connect to Essbase via the Essbase client toolkit or API, such as Oracle Data Integrator (ODI)
  • Supports transparent partitions
  • Supports both Block Storage Option (BSO) and Aggregate Storage Option (ASO) (see our blog post on what these options offer for your solution design)
  • Uses Location Aliases, Substitution Variables, Calculation Scripts, and load rules
  • Loads dimensions, data, or both via flat files or relational tables
  • Restricts access via firewall rules, SSL and VPN services

Differences include:

 

Essbase Cloud (ESSCS), while based on a mature product, has not been out for long. However, the product team has been working on releasing additional capabilities at a steady pace. Due to this, we expect some of these differences to disappear soon. In the very near future, ESSCS will open up Essbase as a solution to more customers, just like on-premise Essbase has been doing for years.


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.