From Mayank Mittal, University of Colorado
January 2020 Critical Patch Update: Executive Summary and Analysis:
Impacted Oracle Middleware Applications for PeopleSoft with CVSS Score of 9.0+:
9.8 CVE-2020-2555 [Oracle Coherence - Caching, CacheStore, Invocation (T3)]
9.8 CVE-2020-2551 [WLS Core Components (IIOP)]
PeopleTools (Versions 8.56 and 8.57):
9.8 CVE-2017-15708 [Portal (Apache Commons)]
9.8 CVE-2019-2729 [Security (Oracle WebLogic Server)]
Applications to patch:
- WebLogic 220.127.116.11
- JDK 8
- Tuxedo 18.104.22.168
- PeopleTools 8.56 and 8.57
- PeopleSoft Application (Optional for us)
The highest CVSS score for WebLogic 22.214.171.124 and PT 8.56/8.57 is 9.8. It is very important to apply the January 2020 CPU patches for both even if the affected/vulnerable components are disabled or not in use.
At Colorado University, I downloaded the PT 8.56.21 and PT 8.57.12 DPKs. All Linux PT DPK's contain tarballs for WebLogic, JDK, Tuxedo, Oracle client and PeopleTools. However, these tarballs don't include the latest CPU/PSU patches. Once you deploy them as is, the latest CPU/PSU needs to applied on top of them.
After setting up the Change Assistant for new versions, we applied PATCH856 and PATCH857 projects in target databases. I found the following issues with the PATCH857 project:
- Projects in PS_HOME/projects and PS_HOME/PTP/updPATCH857.zip are different. In fact, the project in PS_HOME/projects has not changed for last 3 patches. I would recommend using Change Assistant to apply the PATCH857 via PTP.
- If you manually apply PTPATCH%% projects, please apply the project in PTP folder.
There have been cases in the past where WebLogic tarball in the PT DPK would not allow you to apply the latest CPU on top of an existing CPU patch in it. In such cases, I had to use a base WebLogic tarball and install the latest PSU on top it; since WebLogic patches are cumulative, that's all I had to do.
For last few PT 8.56/8.57 DPK's, I've not had to do the above mentioned. I was able to apply the latest WebLogic PSU patch on the tarball that came out with .14, .16 and now .18 patch. These last few archives have also satisfied the pre-requisite of OPatch 13.9.4 as the tarball came with it.
Just an FYI: Starting 8.58, Oracle is introducing “Infrastructure DPK’s” that will be available within few days to 2 weeks after the CPU is released that will contain WebLogic, Tuxedo and JDK archives with latest CPU.
January 2020 CPU patching went pretty smooth and had no issues for us except for an old bug with WebLogic tarball which was introduced in 8.56.14 DPK. When the WebLogic tarball is extracted and deployed in the install process, it deploys the following file with incorrect JDK path. The installation process will not fail and you will observe that the PIA is up but you can't access it. Once you fix the JDK path in the below file and restart PIA, it will work as usual.
#This file is automatically generated
#Fri Mar 22 19:00:43 PDT 2019
I believe this JDK path is from the person's local machine who created this tarball. You can fix the WebLogic tarball by following below steps.
tar xzf pt-weblogic126.96.36.199.0.tgz
$JAVA_HOME/bin/jar xf pt-weblogic-copy.jar
Fix the JDK path in ./oracleHome/oui/.globalEnv.properties
$JAVA_HOME/bin/bin/jar cf pt-weblogic-copy.jar cloningclient.jar pasteBinary.sh
Since, my deployment process is completely automated via Puppet, I was easily able to fix this problem by putting in few lines of code to automate the fixing of JDK path in that file once WebLogic deploy was complete.
Please feel free to email me at email@example.com if you need any help or have any questions about January 2020 PeopleSoft CPU. TRAG is dedicated to serve our community members in every way possible.