We are probably all too familiar with the regular restarts and updates that our laptops and PCs request to patch the Windows Operating System. And whilst there is probably not anyone that actually looks forward to this task, there is no doubt that Microsoft has certainly improved the process in recent years. The process may have its issues, but for a techie, patching Microsoft servers requires just a few button clicks.
Because of its ability to support various platforms and configurations the picture is more complicated when patching EnterpriseOne (E1) and the underlying technology that supports it. This is probably due, in large part, to the complexity of the process and the specialist skills needed, and partly due to the evolving nature of JD Edwards.
Some E1 customer sites may not be aware that Oracle release security advisories for E1 and there are important security patches available for Oracle products. On my travels as a CNC consultant, it is not unusual to find a customer site where no procedures or policies have been implemented for patching E1, or the underlying technology that supports it e.g. databases, web servers and other third party software that’s required. But with the increasing tendency to connect E1 to the Internet, and the recent news about the Meltdown and Spectre bugs, it is perhaps timely to review the current patching available for JD Edwards EnterpriseOne.
Many of the patches that Oracle release fix security issues that could be exploited over the network without any authentication. These could be used to trigger a system crash, or allow data to be accessed. Due to the nature of E1, the vulnerabilities that the patches address are mainly exposed on internal networks that are open to exploitation by malicious software or a disgruntled employee. However, the increasing use of E1 with Internet facing technologies like E1 Mobile, Business Services, Orchestrator, or REST Web Services, now make it increasingly likely that software vulnerabilities may potentially be exposed to the Internet. Not applying security patches to Internet facing systems significantly increases the risk of them being exploited.
So it is definitely worth taking a look to see what patches for JDE E1 might be relevant to you – Oracle release quarterly Critical Patch Updates (CPU) and the latest information is available here.
January’s notice included two advisories for E1, CVE-2018-2658 and CVE-2018-2659, which are included in Doc ID 2349388.1.
The technologies that support E1 may be even more susceptible to these risks. Oracle WebLogic Server is a key component of the E1 architecture and is often overlooked for patching. Several patches for WebLogic Server are included in the latest CPU; however CVE-2017-10352 stands out as especially significant as it has been assigned a Common Vulnerability Scoring System (CVSS) of 9.9. CVSS is an industry standard system for scoring security flaws from 1 to 10 where 10 is the most severe. To put this into a bit of perspective, the Spectre and Meltdown bugs that the press have been making a fuss about have a CVSS of 5.6 (See NIST).
Most sites that use Oracle database will already have a patching policy in place for these systems, and in a recent survey 50% of respondents apply the CPU within six months. However 15% of respondents admitted that they never apply the updates.
Interestingly, there are less CPU for Oracle database than there are for Oracle WebLogic Server.
Many other Oracle products that are part of the Fusion Middleware family and are frequently used with E1 are also included on the Critical Patch Updates. These include Oracle HTTP Server, Oracle JDeveloper, Oracle BIEE, Oracle Access Manager and last but by no means least JAVA – which pervades almost everything!
Has the version of JAVA on the WebLogic server been updated recently?
The significance of Oracle Fusion Middleware, especially WebLogic Server, is that this is most likely the software in the front line of any E1 installation.
As well as quarterly CPUs, Oracle release Security Alerts ‘for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update’. These updates will address urgent issues in a specific product. An example of this is CVE-2017-10151 which was released in November 2017. This fixes a high risk issue in Oracle Identity Manager that has a CVSS score of 10.0 and “could result in complete compromise of Oracle Identity Manager via an unauthenticated network attack”.
Do you have OIM, and is it being used with JDE? Has this been updated?
With an increasing focus on data security, EU GDPR and compliance, and the extension of E1 into the Internet in an increasingly connected World, it is a good time to review if your patching policies are robust enough.
So if you have now decided that you really do need to deploy some of the updates, it is time to make a plan.
To assist with planning and the scheduling of downtime, the release dates for Critical Patch Updates are announced a year in advance:
With these timings, you can then assess if you are likely to have the resource/expertise available. Even if you don’t currently outsource for maintenance, this sort of expertise can still be outsourced on a project basis.
Abbey Barn Road
UK: +44 (0) 1494 896 600
US: +1 888 769 3248
ANZ: +64 (0) 9427 99 56