SP22_P1 Security Vulnerability

I was looking through the Knowledge Garden earlier today - when I came across this notice :

Title: PeopleSoft EnterpriseOne Password Encryption Vulnerability

https://kgapps2.jdedwards.com/jdecontent/CUCSFlash/Flash/gsstf-04-0610.htm

High-Level Summary
The algorithm used to encrypt user passwords in OneWorld/EnterpriseOne applications has been compromised. A malicious database administrator may make use of this information to obtain user passwords.

All users who might have downloaded SP22_P1 in the past should probably update to ensure that the ESU has been applied. The ESU numbers are as follows :

For OneWorld® XE - ESU 6911235
For OneWorld® ERP 8.0 - ESU 6945128
For EnterpriseOne 8.9 (SP2_D1) - ESU 6929072

My guess is that if you're on B7332 or B7331 you're out of luck.

Beware when applying the SP22_P1 or the ESU, there are some caveats:
* You cannot roll back the service pack and ESU without restoring your F98OWSEC security table.
* Multi-foundation with the service pack is problematic since the instance running the new service pack will start writing passwords with the new algorithm.
* A bug with RUNUBE.EXE was introduced around SP22_M1 and will not be fixed SP22_Q1.
* A bug was introduced around SP22_M1 which causes report interconnects to fail if OSAuthentication is enabled. This is scheduled to be fixed in SP22_R1.

This sucks.

Thought I'd just put that out there.

Trying to implement MF with SP22_P1 and I'm now quaking in my boots over these problematic issues.

I guess I have to hunt around for a copy of SP22_O1 - wish Peoplesoft would fix the QA process at JDE a little quicker !!!

Right now, I would NOT recommend implementing P1 since they're introducing some major code changes. I'd be looking at either SP22_L1 or waiting until 23rd Feb for R1.

!

How would I get a copy off a previous one off (like SP22_O1 )? Am I safe to do SP22 by itself?

Thanks!

Well, thats kind of my point. JDE regularly "retires" service packs upon a new one-off, and when they reach a disaster like this, theres nothing to do but wait until they fix it. Usually I save off the one-offs, but since they bundled the entire package - its a little difficult to handle 800Mb or so each week.

As for your question regarding the use of the base version - there are known problems (hence the one-offs !)

Just some observations on the changes (as deducted from the code shipped with the ESU for this change):

Interestingly enough, it's only a half-fix for the encryption: when you change any passwords, they are still written to the F98OWSEC in the old format. The conversion happens only when the user first signs in.

So, before the user signs in, the system is as vulnerable as it always was.

You would expect that if they really wanted to fix this, they would've made it secure all around...

Regards,
Alex.

Damn and Blast...was just about to apply P1 and then just noticed the paragraph about the security vunerability ESU - JD21150

If there are fundamental issues with P1.....introduced at M1 and unlikely to be fixed until R1 then that seriously throws out my current plans....hmmmm

Very glad I checked here too!

Anyone got a view on running with SP22_H1 instead (I have that sitting in Multi-Foundation)....I would appreciate your advice, at the moment we are running on SP21 and badly need Interactivity web features offered in SP22.

Cheers

Question about this ESU JD21150. Can you install this esu on sp22_c1
"before" installing sp22_p1? What is the recommended installation order?



Blue Cross of Idaho, NT4.0, SQL 2K, SP21.

As a follow up to this, we installed P1 and didn't read all the instructions
(on the last page) you need to copy your F98OWSEC to a new location, create
a datasource and ocm mappings to the table, if using Multi Foundations. If
you don't, it corrupts the record in the f98owsec because it stores the pw
using the new encryption.

I have a copy of SP22_I1. My enterprise server is an AS/400, but if you
want it sent to you I can do. I know I wanted to test with HTML and was
able to get SP_I1 through my 'customer relations' person at PeopleSoft.

Thanks,

Joanna
Briggs Corp
XE SP22_I1
Co-existent
Up.7