11.2 - to patch or not to patch
Given recent events, it would be easy to have missed Oracle’s April release of quarterly update patches for on-premise Hyperion customers. The recurring question our Hyperion clients pose is “should we apply the patch or not?”.
Often the prompt to update Hyperion environments comes from IT. This is particularly the case where security exposures have arisen in underlying components such as weblogic or JDeveloper - software that Hyperion requires in order to function properly.
There is a school of thought that says ‘...if it ain’t broken...don’t fix it’. And to some extent this still remains true, especially for customers running stable releases such as 188.8.131.52. However, as soon as a real issue does arise, the first question from Oracle will be ‘...are you on the latest patch release?’.
So what are the considerations?
This latest update covers much of Oracle’s product portfolio. That translates into mitigations for 398 security vulnerabilities. Wading through those to get to the Hyperion EPM-related patches - including the supporting back-end framework dependencies - is not trivial.
However, as administrators of EPM applications, we live in a world of ever-more stringent internal audits. So, there needs to be a balance struck between the ‘do nothing’ philosophy and the benefits of being fully compliant with internal IT standards, and fully aligned with Oracle’s issue triage process.
The criticality of these patches is scored using the CVSS v3 standard. The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities across software suppliers, with a Base Score of 10 being the most critical score.
Accounting for the criticality of these patches requires review of each update’s Base Score. It also requires that you consider the implications of applying each patch from both a functional application and an underlying technical platform perspective. For example, some of the latest security patches for Weblogic (technical) require the latest product patches (functional) to be applied at the same time.
Equally, support for more recent versions of Microsoft Windows Server and Microsoft Office may require Hyperion customers to run Oracle EPM release 11.2. In addition, patching of prior versions of EPM 11.1.2.x will smooth the transition to the upgraded 11.2 release.
So a proactive and managed approach to patch updates can help mitigate against:
- issues with IT audits
- risk of any unforeseen project and testing work required that may not be budgeted
- delays in responding to IT or business changes that mandate latest software versions.
Impact of upgrading to 11.2
If you are running Hyperion 184.108.40.206.209 – patched up-to-date immediately prior to this Quarterly Critical Patch Release - then an update to 11.2 directly brings:
- several technical updates for Hyperion Financial Management (Maximum Base score 4.2)
- a single technical update for Hyperion Financial Reporting (Maximum Base Score 2.4)
- no fewer than 12 technical updates for WebLogic Server 10.3.6.0 (Base Scores from 4.3 to 9.8)
- additional unrated dependencies (e.g. on underlying software components such as JDeveloper) required for implementing these updates.
If you are on an earlier 220.127.116.11.x patch level, or use additional EPM products such as Hyperion Planning or Oracle Essbase then there are updates from previous Critical Patch Releases that may need to be applied.
By way of illustration, a recent patching exercise to bring an unpatched EPM 18.104.22.168.0 installation (comprising Hyperion Shared Services/Hyperion Financial Management/Hyperion Financial Data Quality Management and Hyperion Financial Reporting Studio) completely up to date (April 2020 releases) required:
- 8 patches for Hyperion Shared Services (HSS)
- 3 Patches for Reporting & Analysis (HFR)
- 1 patch for Hyperion Financial Management (HFM)
- 10 patches for Hyperion Financial Data Quality Management (FDMEE) + 1 patch for Oracle Data Integrator (& Studio)
- 3 patches for Oracle Fusion Middleware
- 2 patches for Oracle HTTP Server
- 6 patches for Weblogic Server
Whilst you should always consider applying technical WebLogic security fixes, Oracle's stance can be quite contradictory when it comes to the application of functional patches. Generally, Oracle's recommendation is only to apply patches when there is a fix available to a current issue or a specific need to upgrade to access new or enhanced functionality.
Unfortunately, the Oracle 11.2 release, and its 11.2.1 maintenance release offer little in new functional benefit to the end user. Most changes are technical.
That being said, recent WebLogic patches require the latest product patches to be applied too. This then imposes wider project implications, necessitating that you compile a log of any interdependencies before you plan updates, and their associated testing requirements.
11.2.1 and beyond
Oracle has confirmed extended support for HFM to 2031 via their Applications Unlimited programme. To benefit from this you need to plan in an upgrade to 11.2, its latest maintenance release, 11.2.1. and prior patching considerations as above.
Hyperion EPM 22.214.171.124 is compatible with Windows Server 2008 & 2012 and Microsoft Office 2016. Some of our Hyperion customers have IT departments that are now advocating corporate standards of Windows Server 2016 / 2019 and the use of the latest Office 2019 releases. This requires an EPM 11.2 Hyperion platform.
Oracle will continue to provide Premier Support for release 126.96.36.199 versions of the EPM platform until December 2021. Our guidance would be to remain on 188.8.131.52 until 11.2.x installations are more established in the market....unless you are being forced to go down this route due to technical platform, or Microsoft Windows / Microsoft Office mandates.
- Release 184.108.40.206 is supported until December 2021. Extended support beyond this requires that you be on 11.2.1 (Applications Unlimited).
- Applying all patches satisfies Oracle's latest security recommendations and paves the way for moving to 11.2.1.
- Latest Microsoft standards impose the need to run 11.2.x.
- Consider that patch interdependencies may now require functional patches to be applied in order to service technical patches
- Plan for sufficient project and testing time to manage any 11.2.x upgrades
How we can help
If you are facing pressure to move off legacy releases of Hyperion, do keep in mind that you have choices. Our consultants are well-versed in helping customers meet their IT Audit requirements, or in helping them validate technical and application upgrade implications. Follow the link below if you are interested in joining our next Hyperion customer round table, or are seeking an application or technical review.
Contact Us now if you would like further guidance.