October 2019 Critical Patch Update: Executive Summary and Analysis
Doc ID 2566015.1
Impacted Oracle Middleware Applications for PeopleSoft with CVSS Score of 9.0+
9.8 CVE-2019-2904 Oracle WebLogic Server [Oracle JDeveloper and ADF
PeopleTools (Versions 8.56 and 8.57)
9.8 CVE-2016-0729 [Integration Broker (Apache Xerces)]
9.1 CVE-2019-3862 [File Processing (libssh2)]
Applications to patch:
- Weblogic 12.2.1.3
- JDK 8
- Tuxedo 12.2.2.0
- PeopleTools 8.56 and 8.57
- PeopleSoft Application (Optional for us)
The highest CVSS score for WebLogic 12.2.1.3 and PT 8.56/8.57 is 9.8. It is very important to apply the October 2019 CPU patches for both.
At CU I downloaded the PT 8.56.20 and PT 8.57.10 DPKs. All Linux PT DPK's contain tarballs for Weblogic, JDK, Tuxedo, Oracle client and PeopleTools. However, these tarballs don't include the latest CPU/PSU patches. Once you deploy them as is, latest CPU/PSU needs to applied on top of them.
There were some cases in the past where WebLogic tarball in the PT DPK would not allow you to apply the latest CPU on top of an existing CPU patch in it. In such cases, I had to use a base WebLogic tarball and install the latest PSU on top it, and, since WebLogic patches are cumulative, that's all I had to do.
For last 2 PT 8.56/8.57 DPK's, I've not had to do the above mentioned. I was able to apply the latest WebLogic PSU patch on the tarball that came out with .14, .16 and now .18 patch. These last two tarballs have also satisfied the pre-requisite of OPatch 13.2 as the tarball came with it.
October 2019 CPU patching went pretty smooth and had no issues for us except for an old bug with WebLogic tarball which was introduced in 8.56.14 DPK. When the WebLogic tarball is extracted and deployed in the install process, it deploys following file with incorrect JDK path. The installation process will not fail and you will observe that the PIA is up but you can't access it. Once you fix the JDK path in the below file and restart PIA, it will work as usual.
cat /opt/oracle/psft/pt/bea/oui/.globalEnv.properties
#This file is automatically generated
#Fri Mar 22 19:00:43 PDT 2019
JAVA_HOME=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201
JAVA_HOME_1_8=/mount/856storage/slc10ork/ds2/dpk/PT85616b-9030/jdk1.8.0_201
I believe this JDK path is from the person's local machine who created this tarball. You can fix the weblogic tarball by following below steps.
tar xzf pt-weblogic12.2.1.3.0.tgz
/opt/oracle/psft/pt/jdk1.8/bin/jar xf pt-weblogic-copy.jar
Fix the JDK path in ./oracleHome/oui/.globalEnv.properties
/opt/oracle/psft/pt/jdk1.8/bin/jar cf pt-weblogic-copy.jar cloningclient.jar pasteBinary.sh
Since, my deployment process is completely automated via Puppet, I was easily able to fix this problem by putting in few lines of code to automate the fixing of JDK path in that file once WebLogic deploy was complete.
Please feel free to email me at mayank.mittal@cu.edu if you need any help or have any questions about October 2019 PeopleSoft CPU. TAG is dedicated to serve our community members in every way possible.