cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X

CPS update purported to correct bundled Pro/Intralink OracleDB security issues did nothing

Go to solution
Invisigoth
16-Pearl
16-Pearl
‎Jul 10, 2019 10:13 AM
‎Jul 10, 2019 10:13 AM

CPS update purported to correct bundled Pro/Intralink OracleDB security issues did nothing

This is a followup to this topic that I marked as solved.  Marked prematurely, it seems.

 

CPS-14 was successfully installed on the production system last week.  The customer reports that the security scan fails with all the same exact issues originally reported.  I am digging back in with PTC Support.  Also looking into the possibility of "false positives".  For example, one of the items flagged is for DB version 12.1.0.1 and another for version 12.2.0.1. The version of Oracle that is in use is 12.1.0.2.

Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
Invisigoth
16-Pearl
16-Pearl
(To:Invisigoth)
‎Aug 28, 2019 09:53 AM
‎Aug 28, 2019 09:53 AM

Final word on this from PTC:

The flagged vulnerabilities are fixed in Oracle DB 12c.R2.

For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.

Cannot run 12cR1 on the 11.0 release.

 

View solution in original post

0 Kudos
Notify Moderator
3 REPLIES 3
dnordin
16-Pearl
16-Pearl
(To:Invisigoth)
‎Jul 10, 2019 02:21 PM
‎Jul 10, 2019 02:21 PM

When Oracle is patched, the base version reported is still the same (12.1.0.1). Unless the scan tool is smart enough to examine what patch version(s) is(are) installed on top of the base installation, it will always report issues. This could be why the scan reported the exact same issues. I'd recommend asking the customer if the scan tool is specifically examining the oracle patch version(s) or just the base version information. Running a quick search for "how to determine oracle patch level", I found: Use the OPatch lsinventory utility to determine the current patch version for any given Oracle home in the system. You can also use the utility to retrieve a full list of patches, with their corresponding IDs, for a given Oracle home. Did you happen to run the above utility (or something similar) to be able to compare the oracle patch list before and after the CPS install? Regards, Dan N.
0 Kudos
Notify Moderator
Invisigoth
16-Pearl
16-Pearl
(To:dnordin)
‎Jul 10, 2019 03:21 PM
‎Jul 10, 2019 03:21 PM

Thanks Dan.  I did not run the scanner tool (it's Nessus, BTW), the customer, or his security team, did and sent me the results.  I have no idea how it was configured. 

 

I've done lots of reading this week and found some interesting resources on how this tool figures out what versions are in use.  I will need to have that conversation with the customer about that eventually, but want to ensure I've done my homework.

 

For example, there are several hits on Java.  When I compare Oracle's "supported affected versions" against the version reported by \Windchill_11\Java\release, it shows 'JAVA_VERSION="1.8.0_202"', which is not on that list.

 

Even the  32 and 64bit JREs installed on the machine are not versions that show as "supported, affected" on the Oracle list.

 

Even found the same for some of the hits on the Oracle DB itself, where the affected version is not the one in use.

 

Thanks for the tip on OPatch.  I found an OPatch directory at \ptc\Windchill_11\osa\ocpu\OPatch.  Will try it out.

 

Actually, this was the location and command that produced output:

 

ptc\Windchill_11\osa\oracle\12.1.0.2\OPatch>opatch lsinventory

 

 

 

 

 

0 Kudos
Notify Moderator
Invisigoth
16-Pearl
16-Pearl
(To:Invisigoth)
‎Aug 28, 2019 09:53 AM
‎Aug 28, 2019 09:53 AM

Final word on this from PTC:

The flagged vulnerabilities are fixed in Oracle DB 12c.R2.

For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.

Cannot run 12cR1 on the 11.0 release.

 

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags