[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Oracle Hyperion password disclosure...
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Oracle Hyperion password disclosure...
- From: jeff.kayser@xxxxxxxxxxxxxxxxxx
- Date: Tue, 8 Sep 2015 16:49:52 GMT
Sorry for the earlier attachment. Here is what I wanted to communicate.
Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser@xxxxxxxxxxxxxxxxxx
-----Original Message-----
From: Jeff Kayser
Sent: Friday, September 04, 2015 10:46 AM
To: 'bugtraq@xxxxxxxxxxxxxxxxx' <bugtraq@xxxxxxxxxxxxxxxxx>
Cc: bruce lowenthal (bruce.lowenthal@xxxxxxxxxx) <bruce.lowenthal@xxxxxxxxxx>;
Jeff Kayser (jeff.kayser@xxxxxxxxxxxxxxxxxx) <jeff.kayser@xxxxxxxxxxxxxxxxxx>
Subject: Oracle Hyperion password disclosure
Hello, all.
Oracle Hyperion Rapid Deploy installer leaves plaintext passwords in
configuration files and logfiles. Oracle has known about this issue for 2
years (see below). Oracle says they have fixed the issue in the Hyperion
11.1.2.4 (the latest version). I have not verified the fix. Oracle has
decided not to patch previous versions. Customers running Oracle Hyperion are
advised to review configuration files and logfiles for presence of passwords,
and redact the passwords as appropriate.
Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser@xxxxxxxxxxxxxxxxxx
From: Oracle Security Alerts [mailto:secalert_us@xxxxxxxxxx]
Sent: Wednesday, September 02, 2015 1:04 PM
To: Jeff Kayser <jeff.kayser@xxxxxxxxxxxxxxxxxx>
Subject: Re: Fwd: Fwd: Re: SR 3-7766764311 : Hyperion Essbase Rapid Deploy:
passwords disclosed in install logfiles
Hi Jeff,
I wanted to follow up on this issue. This issue was fixed in the
latest version of Hyperion (11.1.2.4) before it was GA .
The 'Rapid Deployment Installer' is not supported for use in a
Production environment. The documentation for 11.1.2.4 and 11.1.2.3 about
Rapid Deployment reflects this. Hence we do not plan to release any patches for
11.1.2.3 , which is the version that introduced Rapid Deployment.
Please let us know if you have any questions or concerns about this.
Thank you,
Umang Desai
Oracle Security Alerts
On 9/6/2013 1:01 PM, Oracle Security Alerts wrote:
Hi Jeff,
Thanks very much for the confirmation, much appreciated. We will evaluate other
Hyperion products to make sure that we fix the clear-text password issue in all
affected-supported product-release combinations. Once the issue is ready to be
published in a CPU, we will give you credit in our advisory. You will receive
monthly status update notes from us and we will also notify you once the issue
is ready to be published.
--
Thanks,
-Ritwik
--
Best Regards,
Oracle Security Alerts
From: bruce lowenthal [mailto:bruce.lowenthal@xxxxxxxxxx]
Sent: Wednesday, September 04, 2013 8:02 PM
To: Jeff Kayser <jeff.kayser@xxxxxxxxxxxxxxxxxx>; Chok Poh
<chok.poh@xxxxxxxxxx>; NAGABHUSHAN.K.N@xxxxxxxxxx
Subject: Re: SR 3-7766764311 : Hyperion Essbase Rapid Deploy: passwords
disclosed in install logfiles
Jeff:
Thanks for the input. I'd like to see if we can handle this properly without
needing outside encouragement unlike the E-Business Suite issue.
Chok: Can you please make sure this Hyperion SR gets properly and
expeditiously handled? The last person that handled this SR was
NAGABHUSHAN.K.N@xxxxxxxxxx. Can you get me a status on Friday at the 10AM
meeting.
Thanks
Bruce
On 9/4/2013 7:13 PM, Jeff Kayser wrote:
FYI
SR 3-7766764311 : Hyperion Essbase Rapid Deploy: passwords disclosed in install
logfiles
Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser@xxxxxxxxxxxxxxxxxx