Tools release upgrade for patching Oracle vulnerabilties

rival

Active Member
Dear All,

in January Oracle released another patching document.
https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJDE

As you can see, JD Edwards 9.2 is affected. After searching you can find out that the only method of fixing this is to install the leatest Tools release 9.2.4.1(2)

I created a SR and requested a POC from Oracle to create a patch fix for our current TR. Oracle answer: we will not do this as this method of installing the latest TR is standard for years already.

Some questions:

Are you aware that a TR is the only way of patching these security issues?
Are you updating to the last TR 4 times a year when Oracle published the patching document? If not what is the strategy used to minimise these risks?

If you are surprised as well then I hope we can combine our strenghts to ask Oracle to create patches for existing tools releases.

Regards,

Ron
 
Sorry to burst your bubble, but that's not gonna happen. They never did and they never will (probably). You might have a chance if you ask for one specific fix from that vulnerability list but not the whole thing.
 
From the link you posted, under the component column, it looks like the issues were actually in the version of Jackson and jQuery third party libraries -- so they probably had to update to newer versions of those libraries with the patches, which probably involves rebuilding the entire JAS client.

In other words, a fix would look a lot like an entire update to all of JAS, except that version wouldn't have been put through JDE's QE process.
 
A new Update:

We just finished the project to update the toolos release to 9.2.4.2 because this was advised in the january patch update.

Guess what!!!!!

The april patch update is released... And the update again some high risk vulnerabilities we need to upgrade to tools release 9.2.4.3.

i guess 98% of the customers is not an the latest TR so in potentional vulnerable for all kind of attacks..

info:

Oracle Critical Patch Update (CPU) April 2020 for JD Edwards EnterpriseOne and World ( Doc ID 2658974.1 )

Please click on "JD Edwards EnterpriseOne Tools & JD World" and it will open PDF that has all the details:

Resolution(s)
CVE-2020-2733 ( bug 30324204 )
• JD Edwards EnterpriseOne Tools – Monitoring and Diagnostics – v9.2: Apply latest patch using JDE E1 Tools dot release of 9.2.4.3

CVE-2018-11058 ( bug 30318689 )
• JD Edwards EnterpriseOne Tools – Enterprise Infrastructure Security (Oracle Security Service) – v9.2: Apply latest patch using JDE E1 Tools dot release
of 9.2.4.3

CVE-2019-1547 ( bug 30340665 )
• JD Edwards EnterpriseOne Tools – Enterprise Infrastructure Security (OpenSSL) – v9.2: Apply lates patch using JDE E1 Tools dot release 9.2.4.3
 
Rival,

This will be never ending. If you don't expose JDE on the web, you need to consider if the risk is truly high.

Tom
 
I agree with Tom. In order to build in the capabilities we love and need, the architecture becomes more vulnerable. Our focus is on server/pc/device and browser security. Also, user security is very important. We have a company that creates educational quizzes and random pseudo attacks so our users learn to question and identify problem situations. We strongly encourage users to ask questions and let us know about suspicious documents. This is particularly important as attacks change over time.

These newer tools releases can also have more bugs in them, given the new layers and push to evolve new functionality like Orchestrator, so trying to stay on the leading edge tools release for security reasons could introduce flaws that disrupt the business unless you are doing very thorough testing each time.
 
Last edited:
Back
Top