July 2019 CPU: Summary and Analysis

July 2019 Critical Patch Update: Executive Summary and Analysis 

Doc ID 2559985.1

Impacted Oracle Middleware Applications for PeopleSoft with CVSS Score of 9.0+

9.8 CVE-2019-2856 Oracle WebLogic Server (Application Container - JavaEE)

PeopleTools (Versions 8.55, 8.56, 8.57)

7.5 CVE-2015-0226 (Security (Apache WSS4J))

7.1 CVE-2019-2748 (Application Server)

PeopleSoft Applications

6.4 CVE-2019-2831 PeopleSoft Enterprise FIN Project Costing (Projects)

Technical Commentary

Applications to patch:

  1. Weblogic
  2. JDK
  3. Tuxedo
  4. PeopleTools
  5. PeopleSoft Application (Optional for us)

At CU I downloaded the PT 8.56.18 DPK. All Linux PT DPK's contain tarballs for Weblogic, JDK, Tuxedo, Oracle client and PeopleTools. However, these tarballs don't include the latest CPU/PSU patches. Once you deploy them as is, latest CPU/PSU needs to applied on top of them.

There were some cases in the past where WebLogic tarball in the PT DPK would not allow you to apply the latest CPU on top of an existing CPU patch in it. In such cases, I had to use a base WebLogic tarball and install the latest PSU on top it, and, since WebLogic patches are cumulative, that's all I had to do.

For last 2 PT 8.56 DPK's for .16 and .18 patch, I've not had to do the above mentioned. I was able to apply the latest WebLogic PSU patch on the tarball that came out with .14, .16 and now .18 patch. These last two tarballs have also satisfied the pre-requisite of OPatch 13.2 as the tarball came with it.

July 2019 CPU patching is pretty smooth and had no issues for us except for an old bug with WebLogic tarball which was introduced in 8.56.14 DPK. When the WebLogic tarball is extracted and deployed in the install process, it deploys following file with incorrect JDK path. The installation process will not fail and you will observe that the PIA is up but you can't access it. Once you fix the JDK path in the below file and restart PIA, it will work as usual.

cat /opt/oracle/psft/pt/bea/oui/.globalEnv.properties

#This file is automatically generated

#Fri Mar 22 19:00:43 PDT 2019

JAVA_HOME=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201

JAVA_HOME_1_8=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201

I believe this JDK path is from the person's local machine who created this tarball. I tried to fix the tarball with below steps but somehow it corrupts the pt-weblogic-copy.jar. I will spend some more time trying to fix it otherwise will create an SR with Oracle.

tar xzf pt-weblogic12.2.1.3.0.tgz

/opt/oracle/psft/pt/jdk1.8/bin/jar xf pt-weblogic-copy.jar

Fix the JDK path in ./oracleHome/oui/.globalEnv.properties

/opt/oracle/psft/pt/jdk1.8/bin/jar cf pt-weblogic-copy.jar cloningclient.jar pasteBinary.sh

Since, my deployment process is completely automated via Puppet, I was easily able to fix this problem by putting in few lines of code to automate the fixing of JDK path in that file once WebLogic deploy was complete.

Please feel free to email me at mayank.mittal@cu.edu if you need any help or have any questions about July 2019 PeopleSoft CPU. The TRAG is dedicated to serve our community members in every way possible.

Recent Stories
July 2019 CPU: Summary and Analysis

TRAG Cloud and Integrations Work Group - Further Detailed Considerations for SaaS

TRAG Quarterly Newsletter - Volume 2 - July 2019