Skip to main content
I
Invisigoth1-Visitor
1-Visitor
July 10, 2019
Solved

CPS update purported to correct bundled Pro/Intralink OracleDB security issues did nothing

  • July 10, 2019
  • 2 replies
  • 1570 views

This is a followup to this topic that I marked as solved.  Marked prematurely, it seems.

 

CPS-14 was successfully installed on the production system last week.  The customer reports that the security scan fails with all the same exact issues originally reported.  I am digging back in with PTC Support.  Also looking into the possibility of "false positives".  For example, one of the items flagged is for DB version 12.1.0.1 and another for version 12.2.0.1. The version of Oracle that is in use is 12.1.0.2.

Best answer by Invisigoth

Final word on this from PTC:

The flagged vulnerabilities are fixed in Oracle DB 12c.R2.

For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.

Cannot run 12cR1 on the 11.0 release.

 

2 replies

D
dnordin16-Pearl
16-Pearl
July 10, 2019
When Oracle is patched, the base version reported is still the same (12.1.0.1). Unless the scan tool is smart enough to examine what patch version(s) is(are) installed on top of the base installation, it will always report issues. This could be why the scan reported the exact same issues. I'd recommend asking the customer if the scan tool is specifically examining the oracle patch version(s) or just the base version information. Running a quick search for "how to determine oracle patch level", I found: Use the OPatch lsinventory utility to determine the current patch version for any given Oracle home in the system. You can also use the utility to retrieve a full list of patches, with their corresponding IDs, for a given Oracle home. Did you happen to run the above utility (or something similar) to be able to compare the oracle patch list before and after the CPS install? Regards, Dan N.
I
Invisigoth1-VisitorAuthor
1-Visitor
July 10, 2019

Thanks Dan.  I did not run the scanner tool (it's Nessus, BTW), the customer, or his security team, did and sent me the results.  I have no idea how it was configured. 

 

I've done lots of reading this week and found some interesting resources on how this tool figures out what versions are in use.  I will need to have that conversation with the customer about that eventually, but want to ensure I've done my homework.

 

For example, there are several hits on Java.  When I compare Oracle's "supported affected versions" against the version reported by \Windchill_11\Java\release, it shows 'JAVA_VERSION="1.8.0_202"', which is not on that list.

 

Even the  32 and 64bit JREs installed on the machine are not versions that show as "supported, affected" on the Oracle list.

 

Even found the same for some of the hits on the Oracle DB itself, where the affected version is not the one in use.

 

Thanks for the tip on OPatch.  I found an OPatch directory at \ptc\Windchill_11\osa\ocpu\OPatch.  Will try it out.

 

Actually, this was the location and command that produced output:

 

ptc\Windchill_11\osa\oracle\12.1.0.2\OPatch>opatch lsinventory

 

 

 

 

 

I
Invisigoth1-VisitorAuthorAnswer
1-Visitor
August 28, 2019

Final word on this from PTC:

The flagged vulnerabilities are fixed in Oracle DB 12c.R2.

For this scenario, that means a full upgrade from Pro/Intralink 11.0 to Pro/Intralink 11.1, minimum.

Cannot run 12cR1 on the 11.0 release.

 

Terms & ConditionsCookie settingsAccessibility statement