Australia - New Zealand (ANZ)

Hi all,

We are beginning the process of our third PeopleTools upgrade in the last 4 or 5 months, having updated due to a CVE notice, then upgrading to the toolset required for TCSI APIs, and now updating again after another CVE notice. We normally plan out our tools updates less frequently (ideally annually), however having two CVEs with tools based rankings so high (9.8 out of 10) has compelled us to act quickly, and the timing has been such that neither CVE conveniently fit with our required tools update.

It is all a bit bothersome with our other project commitments around TCSI etc… I was just wondering if other institutions have been responding differently to these recent CVEs, or is everyone finding themselves keen for Friday drinks each week while seemingly perpetually patching tools?

Regards
Jason

Jason McIntyre
My pronouns are: he/him/his
acting Manager, Student Information Systems
Student Services and Engagement
USC
Tel: +61 7 5456 3432
jmcinty3@usc.edu.au<mailto:jmcinty3@usc.edu.au> | usc.edu.au http://www.usc.edu.au
[cid:image001.png@01D5E265.B104BE30]
I acknowledge the Traditional Custodians of the lands and waters upon which the
University’s campuses are located. I acknowledge their continuing connections to
country and pay my respects to Elders past, present and emerging.

University of the Sunshine Coast | CRICOS Provider Number: 01595D

Hi Jason

If you are referring to WebLogic we always patch that, Java and Tuxedo quarterly each time the patch comes out.

Regards
Renee.


Renee Picton | Student and Academic Business | Student Central
University of Newcastle | Callaghan NSW 2308
CRICOS 00109J |T: +61 2 4921 7890 |renee.picton@newcastle.edu.au<mailto:%7Crenee.picton@newcastle.edu.au>



From: Jason McIntyre <anz.heug@list.heug.org>
Sent: Thursday, 13 February 2020 1:07 PM
To: anz.heug@list.heug.org
Subject: [anz.heug] - Critical Patch of PeopleTools

Hi all,

We are beginning the process of our third PeopleTools upgrade in the last 4 or 5 months, having updated due to a CVE notice, then upgrading to the toolset required for TCSI APIs, and now updating again after another CVE notice. We normally plan out our tools updates less frequently (ideally annually), however having two CVEs with tools based rankings so high (9.8 out of 10) has compelled us to act quickly, and the timing has been such that neither CVE conveniently fit with our required tools update.

It is all a bit bothersome with our other project commitments around TCSI etc… I was just wondering if other institutions have been responding differently to these recent CVEs, or is everyone finding themselves keen for Friday drinks each week while seemingly perpetually patching tools?

Regards
Jason

Jason McIntyre
My pronouns are: he/him/his
acting Manager, Student Information Systems
Student Services and Engagement
USC
Tel: +61 7 5456 3432
jmcinty3@usc.edu.au<mailto:jmcinty3@usc.edu.au> | usc.edu.au http://www.usc.edu.au
[cid:image001.png@01D5E57A.0C53FFA0]
I acknowledge the Traditional Custodians of the lands and waters upon which the
University’s campuses are located. I acknowledge their continuing connections to
country and pay my respects to Elders past, present and emerging.

University of the Sunshine Coast | CRICOS Provider Number: 01595D


-----End Original Message-----

Hi Jason – Since the release dates of the CPUs are known in well advance, we have a patching timeline planned out for the year, including time allocated for the business users to test. Typically, the WebLogic and Java patches are put into production with 2 weeks of release. Depending on the severity of the PeopleTools CVEs (usually dependent on whether or not the exploit can be accessed remotely without authentication), we may choose not to do the PeopleTools patch to minimise the impact on the business. However, since the last few have had high impacts, we have done the PT patches as well, currently still in the testing phase for the last CPU (Jan).

Like you, we used to only patch once per year, but one of our older PS servers got hacked into a couple of years ago, so now we patch ASAP.

The biggest pain with PeopleTools patching is the need to redeploy the PIA and app/process scheduler domains, but we’ve pretty much managed to automate most of this through Red Hat Satellite scripts.

Cheers,
Rob.

Robert Lacina
University of South Australia
Information Strategy and Technology Services
Student Lifecycle Systems
CRICOS Provider Number: 00121B

From: Jason McIntyre [mailto:anz.heug@list.heug.org]
Sent: Thursday, 13 February 2020 12:37 PM
To: anz.heug@list.heug.org
Subject: [anz.heug] - Critical Patch of PeopleTools

Hi all,

We are beginning the process of our third PeopleTools upgrade in the last 4 or 5 months, having updated due to a CVE notice, then upgrading to the toolset required for TCSI APIs, and now updating again after another CVE notice. We normally plan out our tools updates less frequently (ideally annually), however having two CVEs with tools based rankings so high (9.8 out of 10) has compelled us to act quickly, and the timing has been such that neither CVE conveniently fit with our required tools update.

It is all a bit bothersome with our other project commitments around TCSI etc… I was just wondering if other institutions have been responding differently to these recent CVEs, or is everyone finding themselves keen for Friday drinks each week while seemingly perpetually patching tools?

Regards
Jason

Jason McIntyre
My pronouns are: he/him/his
acting Manager, Student Information Systems
Student Services and Engagement
USC
Tel: +61 7 5456 3432
jmcinty3@usc.edu.au<mailto:jmcinty3@usc.edu.au> | usc.edu.au http://www.usc.edu.au
[cid:image001.png@01D5E57E.531C6EF0]
I acknowledge the Traditional Custodians of the lands and waters upon which the
University’s campuses are located. I acknowledge their continuing connections to
country and pay my respects to Elders past, present and emerging.

University of the Sunshine Coast | CRICOS Provider Number: 01595D


-----End Original Message-----