July 2020 Critical Patch Update: Executive Summary and Analysis
Doc ID 2684313.1
Impacted Oracle Middleware Applications and PeopleTools with CVSS Score of 8.0+
WebLogic
Score
|
CVE#
|
Component
|
9.8
|
CVE-2020-9546
|
Centralized Thirdparty Jars (jackson-databind)
|
9.8
|
CVE-2018-11058
|
Security Service (RSA BSAFE)
|
9.8
|
CVE-2020-14625, CVE-2020-14625, CVE-2020-14645, CVE-2020-14687
|
IIOP, T3
|
9.8
|
CVE-2017-5645
|
Centralized Thirdparty Jars (Log4j)
|
9.8
|
CVE-2017-5645
|
Console (Log4j)
|
Jave SE
Score
|
CVE#
|
Component
|
8.3
|
CVE-2020-14664
|
JavaFX
|
8.3
|
CVE-2020-14583
|
Libraries
|
PeopleTools (Versions 8.56, 8.57 and 8.58)
Score
|
CVE#
|
Component
|
8.2
|
CVE-2020-14564
|
Environment Mgmt Console
|
Applications to patch:
- Weblogic 12.2.1.4 – WLS PATCH SET UPDATE 12.2.1.4.200624 Patch 31537019 + ADR FOR WEBLOGIC SERVER 12.2.1.4.0 JULY CPU 2020 Patch 31544353
- JDK 8 – Oracle JDK 8 Update 261 b33
- Tuxedo 12.2.2.0 – RP068 (No July 2020 CPU patch for Tuxedo but we apply the latest Rolling Patch)
- PeopleTools 8.56, 8.57 and 8.58 – 8.56.23/8.57.16/8.58.05
- PeopleSoft Application (Optional for us)
The highest CVSS score for WebLogic 12.2.1.4 and PT 8.56/8.57/8.58 is 9.8 and 8.2 respectively. It is very important to apply the July 2020 CPU patches for all layers even if the affected/vulnerable components are disabled or not in use.
At CU we downloaded PT 8.56.23, 8.57.16 and 8.58.05 Linux DPKs. All Linux PT DPK's contain archives for Weblogic, JDK, Tuxedo, Oracle client and PeopleTools. However, these archives don't include the latest CPU/PSU patches. Once you deploy them as is, latest CPU/PSU needs to applied on top of them. We created an archive of Oracle JDK 8 Update 261 b33.
Oracle changed the WebLogic version from 12.2.1.3 to 12.2.1.4 in April 2020 CPU patch.
This time there are two (2) WebLogic security patches that need to be applied. WLS PATCH SET UPDATE 12.2.1.4.200624 Patch 31537019 + ADR FOR WEBLOGIC SERVER 12.2.1.4.0 JULY CPU 2020 Patch 31544353. There is also a pre-requisite of OPatch version 13.9.4.2.4 for these patches. WebLogic archive that came with the DPK does not have the upgraded OPatch. We fixed the archive by following the steps below since we have our deployments automated.
PeopleTools 8.58 customers can avoid all the below fuss by waiting for Infrastructure DPK. Infrastructure DPK's contain CPU patched PeopleSoft MiddleWare applications like WebLogic, JDK, Tuxedo, Oracle client, etc. July 2020 CPU Infra DPK is expected to come out on 07/27. Oracle will release Infrastructure DPK's within 1 to 2 weeks after CPU comes out. Below is a useful MOS DocID that will be updated when Infra DPK for July 2020 CPU patch is released.
Oracle Support Document 2620925.1 (PeopleSoft PeopleTools Maintenance Patches and Deployment Packages Released for 2020 - All)
At CU we can't wait that long to apply the CPU patches. So, we followed below steps to update the WebLogic 12.2.1.4 archive.
Steps to upgrade to OPatch 13.9.4.2.4 in 8.57.16 DPK WebLogic archive (Same archive is used for 8.56 and 8.58 also):
- Upgrade OPatch in WLS_HOME on a server manually.
- Extract the WebLogic archive - tar xzf pt-weblogic12.2.1.3.0.tgz
- Decompile the jar file in the archive - $JAVA_HOME/bin/jar xf pt-weblogic-copy.jar
- cd into oracleHome folder
- rm -rf oracle_common wlserver oui OPatch inventory
- Copy below folders from upgraded OPatch WLS_HOME to oracleHome folder inside the pt-weblogic-copy.jar
- cp -rf /opt/oracle/psft/pt/bea/oracle_common /opt/oracle/psft/pt/bea/wlserver /opt/oracle/psft/pt/bea/oui /opt/oracle/psft/pt/bea/OPatch /opt/oracle/psft/pt/bea/inventory oracleHome
- Re-compile pt-weblogic-copy.jar with updated oracleHome folder
$JAVA_HOME/bin/jar cmvf META-INF/MANIFEST.MF pt-weblogic-copy.jar oracle cloning.properties clone_permissions oracleHome
July 2020 CPU patching went pretty smooth after we upgraded OPatch in the WebLogic archive.
Please feel free to email me at mayank.mittal@cu.edu if you need any help or have any questions about July 2020 PeopleSoft CPU or post a comment to this blog for the benefit of the community.
P.S: My apologies for not providing any information on Windows PT DPK's. CU is all Linux and I don't have much experience with Windows DPK's. However, I'm very comfortable with Puppet if you need any assistance with it.