We analyzed the security patches published and first of all: There is a lot of highly critical stuff in this quarter’s release, especially for E-Business Suite (incl. Cloud Manager -maximum CVSS base score of 9.8), Fusion Middleware (a whole bunch of 9.8 ratings with more Log4J as well):
As you can see many of those vulnerabilities can be exploited easily from remote, unauthenticated users with a high impact on both integrity, confidentiality and availability.
Let’s look at the experience we gathered and caveats while applying the patches for various of our customers in more detail.
Oracle E-Business Suite (incl. Cloud Manager)
Applying the E-Business Suite functional patches worked quite straight forward. For some of our customers we decided to combine the CPU patching for this quarter with applying the latest AD and TXK Release 13 (https://blogs.oracle.com/ebs/post/announcement-ad-and-txk-delta-13-updates-now-available-for-ebs-122) which is also a prerequisite for an upcoming support for running E-Business Suite database on Autonomous Database. Also keep in mind that the latest OAF patches (1927975.1; e.g. 12.2.10 Bundle 8) solve a lot of minor issues with OA Framework components that are used through many E-Business Suite pages.
The biggest challenge so far with E-Business Suite is the availability of the Weblogic and Oracle HTTP Server patches. Since the versions of the base technology products used even within the latest E-Business Suite 12.2.11 are in sustaining / market driven support it is not so easy to get your hands on the patches. Oracle is still repacking those patches to make them available for E-Business Suite customers with a “regular” support contract.
Fusion Middleware (SOA, IDM)
In the area of Fusion Middleware finally Oracle made the Support Notes way better readable than before. The new note 2853458.2 gives a convenient overview of all the available patches, CVEs and Error Corrections:
Furthermore the new Patch Availability Document describes more conveniently which patches to apply exactly:
Keep in mind that e.g. for an Oracle SOA Suite 184.108.40.206 you’ll need to apply a lot of patches from the JDK over the database to Weblogic including its components such as ADF, Webcenter until you actually get to the SOA product. You’ll need to apply a total of almost 10 patches to get your SOA Suite from the Januar to the April 2022 patch level.
At least those patches worked with no issues for all our customers so far.
While patching to the latest 19.15 database we ran into an issue with one of the patches included (32583355) for 2 of our customers. For both was for now enough to comment out the following line in the patch driver failing:
---- revoke_privs_32583355('all', 'SYS', 'DBMS_LOGREP_UTIL');
Oracle is investigating this 34004103 but I think this is a more widespread issue with E-Business Suite databases at least; so probably there will soon be an official fix / note for this.
It has already gotten a fashion that the java update again gave us the most headache. While this time the TLS/SSL ciphers have not been changed (and thus didn’t cause issues), Oracle decided to improve the behavior of URL parsing and make it more secure (https://www.oracle.com/java/technologies/javase/8u331-relnotes.html; JDK-8278972). This made it impossible on two of our SOA environments to sign in into the Fusion Middleware Enterprise Manager on SOA Suite 220.127.116.11 environments. Somehow the ADF components tried to establish an ldap connection to ldap://[soacloudtest.intern.dns]:7001 which was not considered a valid IPV6 address:
<Apr 22, 2022 5:51:57,555 PM CEST> <Warning> <oracle.ods.virtualization.engine.backend.jndi.DefaultAuthenticator.BackendJNDI> <LIBOVD-40403> <Connect timeout not set, defaulting to 15000ms.>
<Apr 22, 2022 5:51:57,804 PM CEST> <Warning> <oracle.ods.virtualization.engine.backend.jndi.DefaultAuthenticator.BackendJNDI> <LIBOVD-40118> <Could not automatically detect binary attribute list: Malformed IPv6 address at index 8: ldap://[soacloudtest.intern.dns]:8001.>
<Apr 22, 2022 5:51:57,835 PM CEST> <Error> <oracle.help.web.rich.OHWFilter> <BEA-000000> <ADFSHARE-00120: Error encountered while creating the MDS Session. Application state will be reset. Please logout and log back in if problem persists.
oracle.adf.share.ADFShareException: ADFSHARE-00120: Error encountered while creating the MDS Session. Application state will be reset. Please logout and log back in if problem persists.
Wherever that square brackets were coming from in the URI I’ve so far not been able to analyze. At least changing the setDomainEnv.sh of the environment to include
did solve the issue and made it possible to finish the upgrade. Oracle is still investigating this, since it happened only on some of our customer environments (and e.g. only on SOA Suite, never on OAM/OID) I’m so far not sure what is wrong “under the hoods” that lead to that wrong URL being called.
Update: In the meantime Oracle released an official patch for this issue: EM Console Login Not Working After Installing JDK 1.8 331 (Doc ID 2864820.1)
However the above workaround might be helpful in other areas /custom applications as well that are not 100% properly coded so far.
In April Oracle also released the ORDS 22.1 release. Keep in mind that there are a lot of architecture changes with that release, so upgrading from 21.4 to 22.1 is a bit more complicated than the usual “replacement of the .war file”. I’ll cover the upgrade in a future blog in the coming weeks.
Even though we encountered some issues while applying the April 2022 CPUs I’d highly recommend to go through the effort of applying the patches: They fix a lot of critical issues and vulnerabilities that you definitely don’t want to leave unpatched – especially when providing public services such as iSupplier Portal on those environments. Obviously you’ll want to apply those patches on a dev/test environment first before bringing them to production!