rmoff

October 21, 2009

Critical Patch Update – OBIEE vuln CVE-2009-1990

Filed under: bug, obiee, security — rmoff @ 11:54

October’s Oracle Critical Patch Update Advisory has been released. There are two vulnerabilities (CVE-2009-1999, CVE-2009-1990) listed under Oracle Application Server for “Component” Business Intelligence Enterprise Edition and one (CVE-2009-3407) for “component” Portal.

  • CVE-2009-1999 is OBIEE and “Fixed in all supported versions. No patch provided in this Critical Patch Update.”.
  • CVE-2009-3407 looks like only OAS (not OBIEE), up to versions 10.1.2.3 and 10.1.4.2.
  • CVE-2009-1990 is OBIEE and is the main vuln of interest. It’s unclear if it’s just OBIEE 10.1.3.4.x, or all versions of OBIEE through to and including 10.1.3.4.1. It’s also confusing putting it on the same table as OAS especially given it has similar versioning (10.1.3.x.x).

For information about patches, see My Oracle Support Note 881382.1. This doc lists patches 8927890 and 8927886 for OBIEE 10.1.3.4.1 and 10.1.3.4.0 respectively. Since no other versions are mentioned that suggests it doesn’t affect them but that’d be a heck of an assumption to make and if I were running < 10.1.3.4.0 I'd be raising an SR to seek clarification especially given the ambiguity of the table in the Advisory doc.

The patch (8927890 for 10.1.3.4.1 / 8927886 for 10.1.3.4.0) updates libnqsmetadata and libnqsexecutionlist libraries (dll / so), so installation should be simple (and thus backout too).

Watch out for the pre-reqs on 8927890, which list the same build (10.1.3.4.0.080726.1900) as 8927886, even though it’s supposed to be for 10.1.3.4.1.
You also need to shutdown BI Scheduler (nqscheduler), even though only BI Server is named in the readme.txt.

There’s no details on the vuln itself that I can find. The READMEs for each patch simply say “This patch fixes the following bug(s)” and lists the patch number (8927886 or 8927890). On MyOracleSupport there’s no results for these bug numbers except a JDEdwards bug (!). On Metalink2 each bug turns up but is not publicly visible.

Advertisements

1 Comment

  1. I am trying to find the functionality that is being changed with this critical patch (8927890 – UPDATE FOR OBIEE 10.1.3.4.1 + 11833743 – UPDATE FOR OBIEE 10.1.3.4.1). All I can find is readme files that show nothing more than 8927890 – UPDATE FOR OBIEE 10.1.3.4.1 + 11833743 – UPDATE FOR OBIEE 10.1.3.4.1. Where in the world does one find the actualy bugs fixed with these patches please? My corporation is in process of implementing this patch and I am responsibile for ensuring the application is properly tested afterwards. Without knowing the funcitonality changed with this critical patch, it is almost impossible to determine to best test.

    Thanks for any direction anyone can offer!
    Anne

    Comment by Anne — April 3, 2012 @ 01:47


RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Blog at WordPress.com.

%d bloggers like this: