Community Tip - Did you know you can set a signature that will be added to all your posts? Set it here! X
This is a followup to this topic that I marked as solved. Marked prematurely, it seems.
CPS-14 was successfully installed on the production system last week. The customer reports that the security scan fails with all the same exact issues originally reported. I am digging back in with PTC Support. Also looking into the possibility of "false positives". For example, one of the items flagged is for DB version 12.1.0.1 and another for version 12.2.0.1. The version of Oracle that is in use is 12.1.0.2.
Solved! Go to Solution.
Final word on this from PTC:
The flagged vulnerabilities are fixed in Oracle DB 12c.R2.
For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.
Cannot run 12cR1 on the 11.0 release.
Thanks Dan. I did not run the scanner tool (it's Nessus, BTW), the customer, or his security team, did and sent me the results. I have no idea how it was configured.
I've done lots of reading this week and found some interesting resources on how this tool figures out what versions are in use. I will need to have that conversation with the customer about that eventually, but want to ensure I've done my homework.
For example, there are several hits on Java. When I compare Oracle's "supported affected versions" against the version reported by \Windchill_11\Java\release, it shows 'JAVA_VERSION="1.8.0_202"', which is not on that list.
Even the 32 and 64bit JREs installed on the machine are not versions that show as "supported, affected" on the Oracle list.
Even found the same for some of the hits on the Oracle DB itself, where the affected version is not the one in use.
Thanks for the tip on OPatch. I found an OPatch directory at \ptc\Windchill_11\osa\ocpu\OPatch. Will try it out.
Actually, this was the location and command that produced output:
ptc\Windchill_11\osa\oracle\12.1.0.2\OPatch>opatch lsinventory
Final word on this from PTC:
The flagged vulnerabilities are fixed in Oracle DB 12c.R2.
For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.
Cannot run 12cR1 on the 11.0 release.