Feed aggregator

Updated WebLogic Server 12.1.3 Developer Zip Distribution

Steve Button - Thu, 2015-01-29 18:50
We've just pushed out an update to the WebLogic Server 12.1.3 Developer Zip distribution containing the bug fixes from a recent PSU (patch set update).

This is great for developers since it maintains the high quality of the developer zip distribution and the convenience it provides - avoids reverting to the generic installer to then enable the application of patch set updates.  For development use only.

Download it from OTN:

http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-for-dev-1703574.html

Check out the readme for the list of bug fixes:

http://download.oracle.com/otn/nt/middleware/12c/wls/1213/README_WIN_UP1.txt

Annonce : Devenez expert Cloud Oracle !

Jean-Philippe Pinte - Thu, 2015-01-29 03:37
Vous souhaitez évoluer dans votre carrière?
Rejoignez l'un de nos partenaires pour devenir un expert des solutions Cloud Oracle !

Evènement: Oracle Virtual Cloud Summit

Jean-Philippe Pinte - Wed, 2015-01-28 16:08
4 séminaires en ligne :
  • Back up your Database securely to the Cloud
  • Move your Test & Development to the Cloud
  • Secure Document File-sync & share in the Cloud
  • Accelerate Application development in the Cloud
Enregistrez-vous à l'évènement Oracle Virtual Cloud Summit : http://cloud.oraclevirtualsummit.com

ERROR - CLONE-20372 Server port validation failed

Vikram Das - Wed, 2015-01-28 15:19
Alok and Shoaib pinged me about this error. This error is reported in logs when adcfgclone.pl is run for a R12.2.4 appsTier where the source and target instances are on same physical server.

SEVERE : Jan 27, 2015 3:40:09 PM - ERROR - CLONE-20372   Server port validation failed.
SEVERE : Jan 27, 2015 3:40:09 PM - CAUSE - CLONE-20372   Ports of following servers - oacore_server2(7256),forms_server2(7456),oafm_server2(7656),forms-c4ws_server2(7856),oaea_server1(6856) - are not available.
4:00 PM
SEVERE : Jan 27, 2015 3:40:09 PM - ERROR - CLONE-20372   Server port validation failed.
SEVERE : Jan 27, 2015 3:40:09 PM - CAUSE - CLONE-20372   Ports of following servers - oacore_server2(7256),forms_server2(7456),oafm_server2(7656),forms-c4ws_server2(7856),oaea_server1(6856) - are not available.
SEVERE : Jan 27, 2015 3:40:09 PM - ACTION - CLONE-20372   Provide valid free ports.
oracle.as.t2p.exceptions.FMWT2PPasteConfigException: PasteConfig failed. Make sure that the move plan and the values specified in moveplan are correct

The ports reported are those in the source instance.  Searching on support.oracle.com bug database I found three articles:

EBS 12.2.2.4 RAPID CLONE FAILS WITH ERROR - CLONE-20372 SERVER PORT VALIDATION(Bug ID 20147454)

12.2: N->1 CLONING TO SAME APPS TIER FAILING DUE TO PORT CONFLICT(Bug ID 20389864)

FS_CLONE IS NOT ABLE TO COMPLETE FOR MULTI-NODE SETUP(Bug ID 18460148)

The situation described in the first two bugs is same.  The articles reference each other but don't provide any solution.

Logically thinking, adcfgclone.pl is picking this up from source configuration that is in $COMMON_TOP/clone directory.  So we did grep on subdirectories of $COMMON_TOP/clone:

cd $COMMON_TOP/clone
find . -type f -print | xargs grep 7256

7256 is one of the ports that failed validation.

It is present in

CTXORIG.xml and
FMW/ohs/moveplan.xml
FMW/wls/moveplan.xml

We tried changing the port numbers in CTXORIG.xml and re-tried adcfgclone.pl and it failed again.

So we changed the port numbers of the ports that failed validation in

$COMMON_TOP/clone/FMW/ohs/moveplan.xml and
$COMMON_TOP/clone/FMW/wls/moveplan.xml

cd $FMW_HOME
find . -name detachHome.sh |grep -v Template

The above command returns the detachHome.sh scripts for all the ORACLE_HOMEs inside FMW_HOME.  Executed this to detach all of them.

Removed the FMW_HOME directory

Re-executed
adcfgclone.pl appsTier

It succeeded this time.  Till we get a patch for this bug, we will continue to use this workaround to complete clones.


Categories: APPS Blogs

Innovating with Middleware Platform

Anshu Sharma - Wed, 2015-01-28 13:01

I was recently discussing with a partner executive on howOracle can help the ISV innovate. Decided to pen my thoughts here too -

1) WebLogicInnovation - WebLogic is our market leading App Server. The area which I wouldlike to highlight is Exalogic. Seeing more and more cases where Telco,Financial Services, Govt solution providers are seeing business benefits ofrunning their business critical application on Exalogic. With the upcominglaunch of Exalogic Cloud Software 12c and already available X5-2 hardware, WebLogicperformance on Exalogic will continue to get better. But more importantlypartners would be able to get a simplified experience, similar to Oracle PublicCloud, on Exalogic as explained in this blog post.

2) Middleware Platform for Industry solutions - Oracle SOASuite solves core integration challenges for Healthcareentities, Retailers/Manufacturers,Airlinesetc. Oracle BPM allows you to design complex processes for FinancialServices, Telcos, Public Sector etc. Oracle Event Processing allows you to analyzeand act on data from a variety of devices (IoT) in Fast DataSolutions being deployed in Telcos (Mobile Data offloading, QoSManagement), Transportation (Vehicle Monitoring), Retail (Real Time Coupons),Utilities (Smart Grids) etc. Partners providing process management and integrationsolutions for vertical industries can roll out innovations while keeping thelights running by deploying on Oracle Middleware Platform (SOA, BPM, OEP, WLS,Exalogic, Enterprise Manager).

3) Mobile Platform - Adoption ofmobility in enterprises offers tremendous opportunities to ISVs. We asked onepartner, RapidValue, to share their experience. In this writeup,RapidValue explains how they were able to use power of Oracle Mobile Platformto quickly bring to market a suite of Mobile Applications for Field Service,HRMS, Approvals, Order Management, Inventory Management, and Expense Management.

4) Public Cloud – In recent years theworld of application development has adopted new methodologies, like Agile,that improve the quality and speed in which applications are delivered. Toolssuch as automatic build utilities combined with continuous integrationplatforms simplify the adoption of these new methodologies. These tools areavailable in Oracle DeveloperCloud Service for every licensee of Java Cloud Service. 

Making DevOps Business Driven - a service view

Steve Jones - Wed, 2015-01-28 08:59
I've been doing a bit recently around DevOps and what I've been seeing is that companies that having been scaling DevOps tend to run into a problem: exactly what is a good boundary for a DevOps team? Now I've talked before about how Microservices are just SOA with a new logo, well there is an interesting piece about DevOps as well, its not actually a brand new thing.  Its an evolution and
Categories: Fusion Middleware

Updating a GitHub forked repository

Steve Button - Tue, 2015-01-27 17:27
Mostly a reminder to self but thought I'd post the link in case anyone else is looking for this.  More pointers the merrier.

Simple, straight forward steps to synchronise a forked repository with its upstream repository and keep it up to date.

https://help.github.com/articles/syncing-a-fork
Syncing a fork
Sync a fork of a repository to keep it up-to-date with the upstream repository.
 ...
Following these simple steps enables a forked repository to be easily and regularly updated with changes from the upstream repository. 

Up-to-date fork of the weblogic-docker repositoryTake care to read the final tip in the guide that notes that the steps only update a local copy - the fetch and merge changes still need to be pushed back to the GitHub remote repository.
Tip: Syncing your fork only updates your local copy of the repository. To update your fork on GitHub, you must push your changes.

Indexing Points to Remember

Pakistan's First Oracle Blog - Mon, 2015-01-26 18:54
Indexing depends upon the queries in the application.

There is no one-size-fits-all break-even point for indexed versus table scan access. If only a few rows are being accessed, the index will be preferred.

If almost all the rows are being accessed, the full table scan will be preferred. In between these two extremes, your “mileage” will vary.

A concatenated index is more useful if it also supports queries where not all columns are specified. For instance SURNAME, FIRSTNAME is more useful than FIRSTNAME, SURNAME because queries against SURNAME only are more likely to occur than queries against FIRSTNAME only.

Global indexes provide better performance for queries that must span all partitions.
Categories: DBA Blogs

UPDATED: Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU).

On January 24, Oracle published additional information regarding this security issue in My Oracle Support Note 1964164.1.  Revoking of these privileges may cause “subtle timestamp corruptions” in the database unless database patch 19393542 is applied.

Integrigy has updated the information we provided on how to validate if this security flaw exists in your environment and how to remediate the issue based on the additional information provided by Oracle.  The remediation can be done without applying the January 2015 CPU, but requires the database patch to be applied first.

For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.

Vulnerability, Oracle E-Business Suite, Security Analysis, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Deploying Application Express with Delphix

Steve Karam - Sat, 2015-01-24 14:31
VDBs

Seamless cloning of an application stack is an outstanding goal. Seamless cloning of an application stack including the full production database, application server, and webserver in a few minutes with next to zero disk space used or configuration required is the best goal since Alexander Graham Bell decided he wanted a better way tell Mr. Watson to “come here.”

So in the spirit of discovery, I’ve installed Oracle REST Data Services (ORDS) 2.0 and Oracle Application Express (APEX) 4.2 to a source Oracle database environment in my home Delphix setup. I’m going to:

  1. Sync the ORDS binaries with Delphix as a file source
  2. Sync the APEX binaries with Delphix as a file source
  3. Sync the ORCL database with Delphix as a database source
  4. Provision a clone of the ORCL database to a target linux system as DBDEV
  5. Provision a clone of the ORDS and APEX binaries to the target system

Some of you may be scratching your head right now thinking “What is Delphix?” I’ve written a few words on it in the past, and Kyle Hailey has quite a bit of information about it along with other links such as Jonathan Lewis explaining Delphix at OOW14.

If you’re into the whole brevity thing, here’s a short summation: Delphix is a technology you can sync nearly any kind of source data into and provision on demand from any point in time to any target, near instantly and at the click of a button, all without incurring additional disk space. What that means for your business is incredibly efficient development, faster time to market, and improved application quality. And if you want to see this in action, you can try it for yourself with Delphix Developer Edition.

Let’s use Delphix to deploy APEX to a target system.

Step 1. A look at the source

On the source environment (linuxsource, 172.16.180.11) I have an 11.2.0.1 database called “orcl”.

ORCL Source Database

In the /u01/app/oracle/product directory are ./apex and ./ords, holding the APEX and ORDS installations respectively.

Source Products Directory

When ORDS is started, I am able to see the APEX magic by browsing to http://172.16.180.11:8080/apex and logging in to my InvestPLUS workspace. Here’s the pre-packaged apps I have installed:

Source System APEX Apps

Sweet. Let’s check out what I have set up in Delphix.

Step 2. Check out the Delphix Sources

You can see that I have the ORCL database (named InvestPLUS DB Prod), Oracle REST Data Services, and APEX homes all loaded into Delphix here:

Delphix Sources

When I say they’re loaded into Delphix, I mean they’ve been synced. The ORCL database is synced over time with RMAN and archive logs and compressed about 3x on the base snapshot and 60x on the incremental changes. The /u01/app/oracle/product/apex and /u01/app/oracle/product/ords directories have also been synced with Delphix and are kept up to date over time. From these synced copies we can provision one or more Virtual Databases (VDBs) or Virtual Files (vFiles) to any target we choose.

Step 3. Deploy

Provisioning both VDBs and vFiles is very quick with Delphix and takes only a few button clicks. Just check out my awesomely dramatized video of the provisioning process. For this demo, first I provisioned a clone of the ORCL database to linuxtarget (172.16.180.12) with the name DBDEV.

Provisioning DBDEV to the target

Next I provisioned a copy of the ORDS home to the target at the same location as the source (/u01/app/oracle/product/ords) with the name ORDS Dev:

ORDS Dev on the target

And lastly I provisioned a copy of the APEX home to the target at the same location as the source (/u01/app/oracle/product/apex) with the name APEX Dev:

APEX Dev on target

In hindsight I probably could have just synced /u01/app/oracle/product and excluded the ./11.2.0 directory to get both ORDS and APEX, but hey, I like modularity. By having them separately synced, I can rewind or refresh either one on my target system.

Here’s the final provisioned set of clones on the target (you can see them under the “InvestPLUS Dev/QA” group on the left nav):

Provisioned Clones

Step 4. Check out the target system

Let’s see what all this looks like on the target system. Looking at the /u01/app/oracle/product directory on the target shows us the same directories as the source:

Target directories

I’ve also got the DBDEV database up on the target:

DBDEV on the target

To give you a glimpse of how Delphix provisioned the clone, check this out. Here’s a “df -h” on the linuxtarget environment:

Linux Target df command

What this is showing us is that the APEX Home, ORDS Home, and DBDEV clone are all being served over NFS from Delphix (172.16.180.3). This is how Delphix performs a clone operation, and why we call it virtual: data is synced and compressed from sources into Delphix, and when you provision a clone Delphix creates virtual sets of files that are presented over the wire to the target system. You can think of Delphix as a backup destination for source databases/filesystems, and as network attached storage for targets. The clever bit is that Delphix uses the same storage for both purposes, with no block copies at all unless data is changed on the target VDBs or vFiles. Cool, right? On a side note and for the curious, Delphix can use dNFS as well for your Oracle VDBs.

Step 5. Reconfigure ORDS

On the source environment, ORDS is configured to connect to the ORCL database. On the target we’re going to the DBDEV database. So the one quick change we’ll need to make is to change the SID in the /u01/app/oracle/product/ords/config/apex/defaults.xml file.

[delphix@linuxtarget ords]$ vi config/apex/defaults.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>Saved on Wed Jan 14 08:38:04 EST 2015</comment>
<entry key="cache.caching">false</entry>
<entry key="cache.directory">/tmp/apex/cache</entry>
<entry key="cache.duration">days</entry>
<entry key="cache.expiration">7</entry>
<entry key="cache.maxEntries">500</entry>
<entry key="cache.monitorInterval">60</entry>
<entry key="cache.procedureNameList"/>
<entry key="cache.type">lru</entry>
<entry key="db.hostname">localhost</entry>
<entry key="db.password">@050784E0F3307C86A62BF4C58EE984BC49</entry>
<entry key="db.port">1521</entry>
<entry key="db.sid">DBDEV</entry>
<entry key="debug.debugger">false</entry>
<entry key="debug.printDebugToScreen">false</entry>
<entry key="error.keepErrorMessages">true</entry>
<entry key="error.maxEntries">50</entry>
<entry key="jdbc.DriverType">thin</entry>
<entry key="jdbc.InactivityTimeout">1800</entry>
<entry key="jdbc.InitialLimit">3</entry>
<entry key="jdbc.MaxConnectionReuseCount">1000</entry>
<entry key="jdbc.MaxLimit">10</entry>
<entry key="jdbc.MaxStatementsLimit">10</entry>
<entry key="jdbc.MinLimit">1</entry>
<entry key="jdbc.statementTimeout">900</entry>
<entry key="log.logging">false</entry>
<entry key="log.maxEntries">50</entry>
<entry key="misc.compress"/>
<entry key="misc.defaultPage">apex</entry>
<entry key="security.disableDefaultExclusionList">false</entry>
<entry key="security.maxEntries">2000</entry>
</properties>

Note the only line I had to change was this one: <entry key=”db.sid”>DBDEV</entry>

After the config change, I just had to start ORDS on the target:

[delphix@linuxtarget ords]$ java -jar apex.war
Jan 21, 2015 1:18:22 PM oracle.dbtools.standalone.Standalone execute
INFO: NOTE:

Standalone mode is designed for use in development and test environments. It is not supported for use in production environments.

Jan 21, 2015 1:18:22 PM oracle.dbtools.standalone.Standalone execute
INFO: Starting standalone Web Container in: /u01/app/oracle/product/ords/config/apex
Jan 21, 2015 1:18:22 PM oracle.dbtools.standalone.Deployer deploy
INFO: Will deploy application path = /u01/app/oracle/product/ords/config/apex/apex/WEB-INF/web.xml
Jan 21, 2015 1:18:22 PM oracle.dbtools.standalone.Deployer deploy
INFO: Deployed application path = /u01/app/oracle/product/ords/config/apex/apex/WEB-INF/web.xml
Jan 21, 2015 1:18:22 PM oracle.dbtools.common.config.file.ConfigurationFolder logConfigFolder
INFO: Using configuration folder: /u01/app/oracle/product/ords/config/apex
Configuration properties for: apex
cache.caching=false
cache.directory=/tmp/apex/cache
cache.duration=days
cache.expiration=7
cache.maxEntries=500
cache.monitorInterval=60
cache.procedureNameList=
cache.type=lru
db.hostname=localhost
db.password=******
db.port=1521
db.sid=DBDEV
debug.debugger=false
debug.printDebugToScreen=false
error.keepErrorMessages=true
error.maxEntries=50
jdbc.DriverType=thin
jdbc.InactivityTimeout=1800
jdbc.InitialLimit=3
jdbc.MaxConnectionReuseCount=1000
jdbc.MaxLimit=10
jdbc.MaxStatementsLimit=10
jdbc.MinLimit=1
jdbc.statementTimeout=900
log.logging=false
log.maxEntries=50
misc.compress=
misc.defaultPage=apex
security.disableDefaultExclusionList=false
security.maxEntries=2000
db.username=APEX_PUBLIC_USER
Jan 21, 2015 1:18:58 PM oracle.dbtools.common.config.db.ConfigurationValues intValue
WARNING: *** jdbc.MaxLimit in configuration apex is using a value of 10, this setting may not be sized adequately for a production environment ***
Jan 21, 2015 1:18:58 PM oracle.dbtools.common.config.db.ConfigurationValues intValue
WARNING: *** jdbc.InitialLimit in configuration apex is using a value of 3, this setting may not be sized adequately for a production environment ***
Using JDBC driver: Oracle JDBC driver version: 11.2.0.3.0
Jan 21, 2015 1:18:59 PM oracle.dbtools.rt.web.SCListener contextInitialized
INFO: Oracle REST Data Services initialized
Oracle REST Data Services version : 2.0.10.289.08.09
Oracle REST Data Services server info: Grizzly/1.9.49

Jan 21, 2015 1:18:59 PM com.sun.grizzly.Controller logVersion
INFO: GRIZZLY0001: Starting Grizzly Framework 1.9.49 - 1/21/15 1:18 PM
Jan 21, 2015 1:18:59 PM oracle.dbtools.standalone.Standalone execute
INFO: http://localhost:8080/apex/ started.

Step 6. Victory

With ORDS started, I’m now able to access APEX on my target and log in to see my applications.

APEX Login on TargetAPEX Apps on Target

Conclusion (or Step 7. Celebrate)

The cloned ORDS and APEX homes on the target and the DBDEV database are 100% full clones of their respective sources; block for block copies if you will. No matter how big the source data, these clones are done with a few clicks and takes only a few minutes, barely any disk space (in the megabytes, not gigabytes), and the clones can be refreshed from the source or rewound in minutes.

Delphix is capable of deploying not just database clones, but the whole app stack. Because Delphix stores incremental data changes (based on a retention period you decide), applications can be provisioned from any point in time or multiple points in time. And you can provision as many clones as you want to as many targets as you want, CPU and RAM on the targets permitting. All in all a fairly powerful capability and one I’ll be experimenting on quite a bit to see how the process and benefits can be improved. I’m thinking multi-VDB development deployments and a rewindable QA suite next!

The post Deploying Application Express with Delphix appeared first on Oracle Alchemist.

SQLCl - LDAP anyone?

Barry McGillin - Fri, 2015-01-23 09:02
since  we released our first preview of SDSQL, we've made  a lot of changes to it and enhanced a lot of things too in there so it would be more useable.  One specific one was the use of LDAP which some customers on SQLDeveloper are using in their organisations as a standard and our first release precluded them from working with this.

Well, to add this, we wanted a way that we could specify the LDAP strings and then use them in a connect statement.  We introduced a command called SET LDAPCON for setting the LDAP connection.  You can set it like this at the SQL> prompt
 set LDAPCON jdbc:oracle:thin:@ldap://scl58261.us.oracle.com:389/#ENTRY#,cn=OracleContext,dc=ldapcdc,dc=lcom  

or set it as an environment variable
 (~/sql) $export LDAPCON=jdbc:oracle:thin:@ldap://scl58261.us.oracle.com:389/#ENTRY#,cn=OracleContext,dc=ldapcdc,dc=lcom  

Then you can come along and as long as you know your service name, we're going to swap out the ENTRY delimiter in the LDAP connection with your service.  We're working on a more permanent way to allow these to be registered and used so they are more seamless.

In the meantime, you can then connect to your LDAP service like this
 BARRY@ORCL>set LDAPCON jdbc:oracle:thin:@ldap://scl58261.us.oracle.com:389/#ENTRY#,cn=OracleContext,dc=ldapcdc,dc=lcom  
BARRY@ORCL>connect barry/oracle@orclservice_test(Emily's Desktop)
Connected
BARRY@PDBOH12>tables
Command=tables
TABLES
TEST

Here's a qk little video of it in action!  You can then use  the 'SHOW JDBC' command to show what you are connected to.


This is the latest release which should be online soon, and you  can download it from here.

Oracle Audit Vault - Remedy and ArcSight Integration

Remedy Ticket System Integration

Oracle Audit Vault 12c includes a standard interface for BMC Remedy ticketing systems.  You can configure the Oracle Audit Vault to connect to BMC Remedy Action Request (AR) System Server 7.x.  This connection enables the Oracle Audit Vault to raise trouble tickets in response to Audit Vault alerts. 

Only one Remedy server can be configured for each Oracle Audit Vault installation.  After the interface has been configured, an Audit Vault auditor needs to create templates to map and handle the details of the alert.  Refer to the Oracle Audit Vault Administrator’s Guide Release 10.3, E23571-08, Oracle Corporation, August 2014, section 3.6 http://docs.oracle.com/cd/E23574_01/admin.103/e23571.pdf.

HP ArcSight Integration

HP’s ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing messages from different sources.  Oracle Audit Vault can forward messages to ArcSight SIEM.

No additional software is needed to integrate with ArcSight.  Integration is done through configurations in the Audit Vault Server console.

Messages sent to the ArcSight SIEM Server are independent of any other messages sent from the Audit Vault (e.g., other Syslog feeds). 

There are three categories of messages sent –

  • System - syslog messages from subcomponents of the Audit Vault Sever
  • Info - specific change logging from the Database Firewall component of Oracle AVDF
  • Debug - a category that should only be used under the direction of Oracle Support

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Security Strategy and Standards, Oracle Audit Vault
Categories: APPS Blogs, Security Blogs

Everybody Says “Hackathon”!

Tugdual Grall - Fri, 2015-01-23 04:23
TLTR: MongoDB & Sage organized an internal Hackathon We use the new X3 Platform based on MongoDB, Node.js and HTML to add cool features to the ERP This shows that “any” enterprise can (should) do it to: look differently at software development build strong team spirit have fun! Introduction I have like many of you participated to multiple Hackathons where developers, designer and Tugdual Grallhttps://plus.google.com/103667961621022786141noreply@blogger.com2

Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)

Oracle E-Business Suite environments may be vulnerable due to excessive privileges granted on the SYS.DUAL table to PUBLIC.  This security issue has been resolved in the January 2015 Oracle Critical Patch Update (CPU) and has been assigned the CVE tracking identifier CVE-2015-0393.  The problem may impact all Oracle E-Business Suite versions including 11.5, 12.0, 12.1, and 12.2.  Recent press reports have labeled this vulnerability as a “major misconfiguration flaw.”  The security issue is actually broader than just the INDEX privilege that is being reported in the press and there may be at least four independent attack vectors depending on the granted privileges.  Fortunately, this issue does not affect all Oracle E-Business Suite environments - Integrigy has only identified this issue in a few number of Oracle E-Business Suite environments in the last three years.

Integrigy has published information on how to validate if this security flaw exists in your environment and how to remediate the issue.  The remediation can be done without apply the January 2015 CPU.

For more information, see Integrigy’s in-depth security analysis "Oracle EBS SYS.DUAL PUBLIC Privileges Security Issue Analysis (CVE-2015-0393)" for more information.

 

Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

EBS 12.2 Essential Bundle Fixes for AD Delta 5 and TXK Delta 5 (Doc ID 1934471.1)

Senthil Rajendran - Thu, 2015-01-22 07:38
EBS 12.2 Essential Bundle Fixes for AD Delta 5 and TXK Delta 5 (Doc ID 1934471.1)

if any of the below features are interesting to your deployment then please review the doc and apply the essential bundle patches on 12.2.5 environment. Hope this helps to stabilize your environment.

Section 4: Features and Fixes in the Current Code level
The bundle fixes include implementation of the following AD and TXK features and fixes.

4.1: AD Features and Fixes

  • The database connection module has been enhanced such that the former multiple connections during adop execution have been reduced to only two connections for all embedded SQL actions.
  • Concurrency issues during multi-node configuration have been fixed.
  • Redundancy issues have been addressed:
    • When calling validation on all nodes.
    • Unnecessary calls to the TXK API, have been removed from the cleanup phase.
    • Time-consuming database actions have been centralized, instead of being performed on all nodes.
  • Multinode logic has been changed to depend on a new table, adop_valid_nodes, instead of fnd_nodes.
  • An issue where AD Admin and AD Splice actions were not synchronized on shared slave nodes has been fixed.
  • Reporting capabilities have been improved for:
    • Abandon nodes and failed nodes.
    • Uncovered objects not being displayed after actualize_all in adopreports.
    • Out of sync nodes during fs_clone and abort.
  • Cutover improvements:
    • Restartability of cutover.
    • An obsoleted materialized view has been removed from processing during cutover.
  • xdfgen.pl has been enhanced to support execution against Oracle RAC databases where ipscan is enabled.
  • Support for valid comma-separated adop phases has been provided.
  • Several database-related performance issues have been fixed.
  • Improvements have been made in supporting hybrid, DMZ, non-shared, and shared configurations.
  • The adop utility has been enhanced to support host name containing the domain name.

4.2: TXK New Features and Fixes

  • Enhancements have been made to the provisioning tools used in multi-tier environments to perform operations such as adding or deleting nodes and adding or deleting managed servers.
  • An enhancement has been made to allow customization of the s_webport and s_http_listen_parameter context variables when adding a new node.
  • Performance improvements have been made for cloning application tier nodes, particularly in the pre-clone and post-clone phases.
  • Fixes related to cloning support for Oracle 12c Database have been provided.
  • Performance improvements have been made for managing application tier services, including implementation of the Managed Server Independence Mode feature (-msimode parameter to adstrtal.sh) to allow application tier services to be started or stopped without the WebLogic Administration Server running.
  • On a multi-node application tier system configuration, remote connectivity is no longer required for packaging the Oracle E-Business Suite WebLogic Server domain.
  • JVM heap size (-Xms and -Xmx) has been increased to 1 GB for the WebLogic Administration Server and all managed servers.


Nantes MUG : Event #2

Tugdual Grall - Wed, 2015-01-21 00:01
Last night the Nantes MUG (MongoDB Users Group) had its second event. More than 45 people signed up and joined us at the Epitech school (thanks for this!).  We were lucky to have 2 talks from local community members: How “MyScript Cloud” uses MongoDB by Mathieu Ruellan Aggregation Framework by Sebastien Prunier How “MyScript Cloud” uses MongoDB First of all, if you do not know MyScript I Tugdual Grallhttps://plus.google.com/103667961621022786141noreply@blogger.com0

January 2015 Critical Patch Update Released

Oracle Security Team - Tue, 2015-01-20 14:55

Hi, this is Eric Maurice.

Oracle today released the January2015 Critical Patch Update. This CriticalPatch Update provides 169 new fixes for security issues across a wide rangeof product families including: Oracle Database, Oracle Fusion Middleware,Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite,Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle SiebelCRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite,Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 169 vulnerabilities, 8 are for the OracleDatabase. None of these databasevulnerabilities are remotely exploitable without authentication, but a numberof these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) hasreceived a CVSS Base Score of 9.0 to denote that a full compromise of thetargeted server is possible on the Windows platform (for versions prior toDatabase 12c) but requires authentication (The CVSS Base Score for platformsother than Windows and for Database 12C on Windows is 6.5).

One database vulnerability (CVE-2014-6577) received a CVSSBase Score of 6.8. If successfullyexploited, vulnerability CVE-2014-6577 can result in a complete confidentialitycompromise of the targeted systems on database versions prior to 12c on theWindows platform. The CVSS Base Scorefor CVE-2014-6577 is 6.5 (the reported confidentiality impact value is"Partial+") for Database 12c on Windows and for all versions of the Databaseon Linux, Unix and other platforms.

Two database vulnerabilities received a CVSS Base Score of6.5 (CVE-2014-0373 and CVE-2014-6578). TheCVSS Base score of 6.5 for these vulnerabilities along with the Partial+ratings indicate that a successful compromise of the vulnerabilities couldresult in a possible compromise of the entire database, but authenticating tothe targeted system is required.

Becauseof the severity of these issues, Oracle highly recommends that this CriticalPatch Update be applied against affected systems as soon as possible. As a reminder, the security risk matriceslisted on the Critical Patch Update advisory lists the affected versions, andthe accompanying patch availability document provides information about how toobtain the appropriate patches.

Note that, as discussed in aprevious blog entry by Darius Wiles, the CVSS Special Interest Group hasrecently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updatedversion of CVSS is the addition of a Scope metric that will provide a moregeneric way to indicate if the impact of a vulnerability extends beyond the componentthat contains the vulnerability. As aresult, this new ‘Scope’ metric will eliminate the need for Oracle to use aPartial+ custom score.

ThisCritical Patch Update provides 36 new fixes for Oracle Fusion Middlewareproducts. The most severe of theseFusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middlewarevulnerabilities fixed in this Critical Patch Update can result in a servertakeover (CVE-2011-1944 and CVE-2014-0224).

ThisCritical Patch Update provides a number of security fixes for OracleApplications, including 10 new fixes for Oracle E-Business Suite, 6 for OracleSupply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for OracleJDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for OracleiLearning. Oracle Applications customersshould apply these fixes as soon as possible, as well as apply other relevantfixes in the Oracle stack as prescribed in the Critical Patch Update Advisoryand associated documentations. It isalso very important that application customers remain on actively supportversions from Oracle so that they can benefit from Oracle’s ongoing securityassurance effort, and continue to get security fixes which are thoroughlytested across the Oracle stack. Customers who have these applications hosted on their behalf shouldensure that their service providers apply these patches in a timely fashionupon successful testing.

ThisCritical Patch Update also provides 29 new security fixes for the OracleSun Systems Products Suite. The highestCVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability(CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’sLifetime Systems Support Policy; Oracle will no longer systematicallyassess new security vulnerabilities against Solaris 8 and Solaris 9.

ThisCritical Patch Update delivers 19 new security fixes for Oracle JavaSE. The most severe of thesevulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SEclient-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; andCVE-2015-0408). Out of these 19vulnerabilities, 15 affect client-only installations, 2 affect client andserver installations, and 2 affect JSSE installations. This relatively low historical number forOracle Java SE fixes reflect the results of Oracle’sstrategy for addressing security bugs affecting Java clients and improvingsecurity development practices in the Java development organization.

It is very important to note that, with thisCritical Patch Update, Oracle will change the behavior of Java SE inregards to SSL. This Critical PatchUpdate will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsoleteprotocol, and this situation is aggravated by the POODLEvulnerability (CVE-2014-3566). As aresult, this protocol is being widely targeted by malicious hackers.

Organizations should disable the use of all versions of SSLas they can no longer rely on SSL to ensure secure communications betweensystems.

Customers should update their custom code to switch to amore resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in allOracle software moving forward. A manualconfiguration change can allow Java SE clients and server endpoints, which havebeen updated with this Critical Patch Update, to continue to temporarily useSSL v3.0. However, Oracle stronglyrecommends organizations to phase out their use of SSL v3.0 as soon aspossible.

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

See Darius Wiles’ blog entry about upcomingchanges to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

January 2015 Critical Patch Update Released

Oracle Security Team - Tue, 2015-01-20 14:55

Hi, this is Eric Maurice.

Oracle today released the January 2015 Critical Patch Update. This Critical Patch Update provides 169 new fixes for security issues across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 169 vulnerabilities, 8 are for the Oracle Database. None of these database vulnerabilities are remotely exploitable without authentication, but a number of these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) has received a CVSS Base Score of 9.0 to denote that a full compromise of the targeted server is possible on the Windows platform (for versions prior to Database 12c) but requires authentication (The CVSS Base Score for platforms other than Windows and for Database 12C on Windows is 6.5).

One database vulnerability (CVE-2014-6577) received a CVSS Base Score of 6.8. If successfully exploited, vulnerability CVE-2014-6577 can result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform. The CVSS Base Score for CVE-2014-6577 is 6.5 (the reported confidentiality impact value is "Partial+") for Database 12c on Windows and for all versions of the Database on Linux, Unix and other platforms.

Two database vulnerabilities received a CVSS Base Score of 6.5 (CVE-2014-0373 and CVE-2014-6578). The CVSS Base score of 6.5 for these vulnerabilities along with the Partial+ ratings indicate that a successful compromise of the vulnerabilities could result in a possible compromise of the entire database, but authenticating to the targeted system is required.

Because of the severity of these issues, Oracle highly recommends that this Critical Patch Update be applied against affected systems as soon as possible. As a reminder, the security risk matrices listed on the Critical Patch Update advisory lists the affected versions, and the accompanying patch availability document provides information about how to obtain the appropriate patches.

Note that, as discussed in a previous blog entry by Darius Wiles, the CVSS Special Interest Group has recently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updated version of CVSS is the addition of a Scope metric that will provide a more generic way to indicate if the impact of a vulnerability extends beyond the component that contains the vulnerability. As a result, this new ‘Scope’ metric will eliminate the need for Oracle to use a Partial+ custom score.

This Critical Patch Update provides 36 new fixes for Oracle Fusion Middleware products. The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middleware vulnerabilities fixed in this Critical Patch Update can result in a server takeover (CVE-2011-1944 and CVE-2014-0224).

This Critical Patch Update provides a number of security fixes for Oracle Applications, including 10 new fixes for Oracle E-Business Suite, 6 for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning. Oracle Applications customers should apply these fixes as soon as possible, as well as apply other relevant fixes in the Oracle stack as prescribed in the Critical Patch Update Advisory and associated documentations. It is also very important that application customers remain on actively support versions from Oracle so that they can benefit from Oracle’s ongoing security assurance effort, and continue to get security fixes which are thoroughly tested across the Oracle stack. Customers who have these applications hosted on their behalf should ensure that their service providers apply these patches in a timely fashion upon successful testing.

This Critical Patch Update also provides 29 new security fixes for the Oracle Sun Systems Products Suite. The highest CVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability (CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’s Lifetime Systems Support Policy; Oracle will no longer systematically assess new security vulnerabilities against Solaris 8 and Solaris 9.

This Critical Patch Update delivers 19 new security fixes for Oracle Java SE. The most severe of these vulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SE client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408). Out of these 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations. This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

It is very important to note that, with this Critical Patch Update, Oracle will change the behavior of Java SE in regards to SSL. This Critical Patch Update will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsolete protocol, and this situation is aggravated by the POODLE vulnerability (CVE-2014-3566). As a result, this protocol is being widely targeted by malicious hackers.

Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems.

Customers should update their custom code to switch to a more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0. However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible.

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

See Darius Wiles’ blog entry about upcoming changes to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

Pages

Subscribe to Oracle FAQ aggregator