Updating Oracle EPM (Hyperion) for Struts RCE Vulnerability

October 11, 2017

Author: Andy Tauro, Performance Architects

It is hard to not have heard of the Apache Struts vulnerability that affected major websites, including those of Equifax. When this happened, IT support teams scrambled to check their environments and to apply fixes as quickly as they could be found. Our customers running Oracle EPM (Hyperion) (as well as Oracle Business Intelligence Enterprise Edition or OBIEE) on-premise inquired about how to address this as well.

From what we can tell, certain Oracle EPM components use Struts via the WebLogic Application Server (WAS or WLS) 10.3.6 platform. While WAS 10.3.6 comes bundled with Struts 1.x & 2.x, it looks like Oracle EPM only uses Struts 1.x. This particular version of Struts has not been named in the vulnerability that caught the world by storm, Oracle released a fix for WebLogic that updates the version of Struts via a Smart Update (SU) patch.

The patch (26835212) updates the Struts version in WebLogic 10.3.6 to 1.3.9 and 2.3.34. We have applied this over the last security Patch Set Update (PSU) that Oracle released (25869650, in July 2017). To apply this, one would use the BSU utility that is available in the “Middleware Home” directory ({MW_HOME}/utils/bsu). The general steps for this are:

  1. Stop EPM services running
  2. Extract patch into the “{MW_HOME}/utils/bsu/cache_dir” directory
  3. From the location “{MW_HOME}/utils/bsu,” apply the patch as: “bsu.cmd/sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}” and patch ID for July 2017 PSU = B25A, for 25869650 = UZCY
  4. Delete “cache” and “tmp” directories for each WebLogic Managed Server that runs Oracle EPM services
    • These will be found in the location “{MW_HOME}/user_projects/domains/EPMSystem/servers”
  5. Restart Oracle EPM

One important note: “MW_HOME” equals “Middleware Home” and “WL_HOME” equals “WebLogic Home” (usually “{MW_HOME}/wlserver_10.3”).  Also, these steps apply primarily to Oracle EPM Version 11.1.2.4.

At this time, we have run basic tests on the various Hyperion modules and have not seen any issues. We are working with our clients to perform more thorough health checks, since every environment has some nuance that makes it unique and sometimes exposes an issue that was not thought about.

Are you thinking of applying this patch and have questions? Feel free to drop a note as we would love to hear from you and share notes on this.


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Leave a Reply