April 2019 Critical Patch Update: Executive Summary and Analysis
Doc ID 2494878.1
Notes From Oracle:
July 2019 will contain the last CPU for PeopleTools Version 8.55
April Critical Patch Advisory
9.8 CVE-2019-2725 Oracle WebLogic Server (Web Services)
Click here for more information.
Impacted Oracle Applications with CVSS Score of 9.0+
9.8 CVE-2019-2645. Oracle WebLogic Server (WLS Core Components)
9.8 CVE-2019-2646 Oracle WebLogic Server (EJB Container)
9.8 CVE-2019-2658 Oracle WebLogic Server (WLS Core Components)
9.0 CVE-2019-2699 Java SE (Windows DLL)
PeopleTools (Versions 8.55, 8.56, 8.57)
8.7 CVE-2019-2598 (SQR)
7.5 CVE-2018-1000180 (Security (Bouncy Castle Java Library))
6.8 CVE-2019-2594 (Application Server)
6.1 CVE-2019-2637 (PIA Core Technology)
5.9 CVE-2018-0734 (Security (OpenSSL))
5.4 CVE-2019-2597 (PIA Core Technology)
4.3 CVE-2019-2573 (Fluid Homepage & Navigation)
4.3 CVE-2019-2586 (RemoteCall)
8.2 CVE-2019-2590 HCM Talent Acquisition Manager (Job Opening)
6.1 CVE-2019-2591 HRMS (Candidate Gateway)
6.1 CVE-2019-2707 ELM Enterprise Learning Management (Application Search)
4.3 CVE-2019-2700 Enterprise ELM (Enterprise Learning Mgmt)
TRAG Technical Commentary by Mayank Mittal
Sr. PeopleSoft Administrator, University of Colorado
Applications to Patch:
5. PeopleSoft Applications (HCM, ELM)
I downloaded the PT 8.56.16 DPK. All Linux PT DPK's contain tarballs for Weblogic, JDK, Tuxedo, Oracle client and PeopleTools. However, these tarballs don't include the latest CPU/PSU patches. Once you deploy them as is, latest CPU/PSU needs to be applied on top of them.
There were some cases in the past where WebLogic tarball in the PT DPK would not allow you to apply the latest CPU on top of an existing CPU patch in it. In such cases, I had to use a base WebLogic tarball and install the latest PSU on top it, and, since WebLogic patches are cumulative, that's all I had to do.
For the last two PT 8.56 DPK's for .14 and .16 patch, I've not had to do the above mentioned. I was able to apply the latest WebLogic PSU patch on the tarball that came out with .14 and .16 patch. These last two tarballs have also satisfied the pre-requisite of OPatch 13.2 as the tarball came with it.
April 2019 CPU patching was pretty smooth and had no issues for CU except for a bug with WebLogic tarball which was introduced in 8.56.14 DPK. When the WebLogic tarball is extracted and deployed in the install process, it deploys following file with incorrect JDK path. The installation process will not fail and you will observe that the PIA is up but you can't access it. Once you fix the JDK path in the below file and restart PIA, it will work as usual.
JDK file Path: cat /opt/oracle/psft/pt/bea/oui/.globalEnv.properties
This file is automatically generated:
#Fri Mar 22 19:00:43 PDT 2019 JAVA_HOME=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201 JAVA_HOME_1_8=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201
I believe this JDK path is from the local machine of the developer who created this tarball. The WebLogic tarball bug can be fixed by following the below steps:
1. Copy WebLogic tarball from PT DPK/archives folder to a different location.
2. Extract the tarball:
tar xzf pt-weblogic184.108.40.206.0.tgz
3. Extract pt-weblogic-copy.jar file:
/opt/oracle/psft/pt/jdk1.8/bin/jar xf pt-weblogic-copy.jar
4. Make your changes
5. Create a new pt-weblogic-copy.jar again:
/opt/oracle/psft/pt/jdk1.8/bin/jar cmvf META-INF/MANIFEST.MF pt-weblogic-copy.jar
6. Copy the new pt-weblogic-copy.jar to the tarball extract & create a new tarball
Since my deployment process is completely automated via Puppet, I was easily able to fix this problem by putting in few lines of code to automate the fixing of JDK path in that file once WebLogic deploy was complete.
If any institutions require assistance or have any questions about the PeopleSoft applications of the April 2019 CPU, please feel free to contact me.
The TRAG is dedicated to serve our community members in every way possible.