Re: Oracle Hyperion password disclosure...

[jeff.kayser () jibeconsulting com]

Sorry for the earlier attachment.  Here is what I wanted to communicate.

Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser () jibeconsulting com


-----Original Message-----
From: Jeff Kayser 
Sent: Friday, September 04, 2015 10:46 AM
To: 'bugtraq () securityfocus com' <bugtraq () securityfocus com>
Cc: bruce lowenthal (bruce.lowenthal () oracle com) <bruce.lowenthal () oracle com>; Jeff Kayser (jeff.kayser () 
jibeconsulting com) <jeff.kayser () jibeconsulting com>
Subject: Oracle Hyperion password disclosure

Hello, all.
 
Oracle Hyperion Rapid Deploy installer leaves plaintext passwords in configuration files and logfiles.  Oracle has 
known about this issue for 2 years (see below).  Oracle says they have fixed the issue in the Hyperion 11.1.2.4 (the 
latest version).  I have not verified the fix.  Oracle has decided not to patch previous versions.  Customers running 
Oracle Hyperion are advised to review configuration files and logfiles for presence of passwords, and redact the 
passwords as appropriate.

Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser () jibeconsulting com


From: Oracle Security Alerts [mailto:secalert_us () oracle com] 
Sent: Wednesday, September 02, 2015 1:04 PM
To: Jeff Kayser <jeff.kayser () jibeconsulting com>
Subject: Re: Fwd: Fwd: Re: SR 3-7766764311 : Hyperion Essbase Rapid Deploy: passwords disclosed in install logfiles

Hi Jeff,
           I wanted to follow up on this issue. This issue was fixed in the latest version of Hyperion (11.1.2.4) 
before it was GA . 

         The 'Rapid Deployment Installer' is not supported for use in a Production environment. The documentation for  
11.1.2.4 and 11.1.2.3 about Rapid Deployment reflects this. Hence we do not plan to release any patches for 11.1.2.3 , 
which is the version that introduced Rapid Deployment.

         Please let us know if you have any questions or concerns about this.

Thank you,
Umang Desai
Oracle Security Alerts

On 9/6/2013 1:01 PM, Oracle Security Alerts wrote:
Hi Jeff,

Thanks very much for the confirmation, much appreciated. We will evaluate other Hyperion products to make sure that we 
fix the clear-text password issue in all affected-supported product-release combinations. Once the issue is ready to be 
published in a CPU, we will give you credit in our advisory. You will receive monthly status update notes from us and 
we will also notify you once the issue is ready to be published.


-- 
Thanks,
-Ritwik

--
Best Regards,
Oracle Security Alerts


From: bruce lowenthal [mailto:bruce.lowenthal () oracle com] 
Sent: Wednesday, September 04, 2013 8:02 PM
To: Jeff Kayser <jeff.kayser () jibeconsulting com>; Chok Poh <chok.poh () oracle com>; NAGABHUSHAN.K.N () oracle com
Subject: Re: SR 3-7766764311 : Hyperion Essbase Rapid Deploy: passwords disclosed in install logfiles

Jeff:

Thanks for the input.    I'd like to see if we can handle this properly without needing outside encouragement unlike 
the E-Business Suite issue.

Chok:  Can you please make sure this Hyperion SR gets properly and expeditiously handled?  The last person that handled 
this SR was NAGABHUSHAN.K.N () oracle com.   Can you get me a status on Friday at the 10AM meeting.

Thanks
Bruce

On 9/4/2013 7:13 PM, Jeff Kayser wrote:
FYI
 
SR 3-7766764311 : Hyperion Essbase Rapid Deploy: passwords disclosed in install logfiles
 
Jeff Kayser
Jibe Consulting | Oracle Principal Consultant
5000 Meadows Rd. Suite 300
Lake Oswego, OR 97035
O: 503-517-3266 | C: 503.901.5021
Jeff.kayser () jibeconsulting com