OBIEE Security Alerts

Is there a metalink note which lists all CPU or security alerts for the OBIEE product?
We are currently applying the latest security patches for our various oracle products but cannot find any listing for OBIEE

I don't think there're any security patches for OBIEE, at least I'm not aware of any. I think that OBIEE isn't a security threat in itself, as long as your servers are secure.

Similar Messages

  • OBIEE Security 10g to 11g: Groups

    I had a Security scenario that I wanted to throw out to the forum...
    In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
    Data-level and object-level security was different for each group.
    In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
    In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
    I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
    My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
    Edited by: DustinC on Jan 19, 2012 1:29 PM
    Edited by: DustinC on Jan 20, 2012 3:54 PM
    Edited by: DustinC on Jan 22, 2012 12:45 PM
    Edited by: DustinC on Jan 23, 2012 11:40 AM

    Q1. how deploy external database security(users, groups) to OBIEE 11g.
    we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
    Solution:
    http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
    http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
    http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
    Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
    Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
    while configuring AD via weblogic console we need to give the users and group info
    Solution refer:
    http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
    http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
    Thanks
    Deva

  • Report on OBIEE Security

    We use Default Authenticator and implemented the security using Weblogic console. Now my client want to see a report on the OBIEE security implemented; he want to see all the groups, roles, users listed and also interested in seeing what users and roles assigned to various groups for the project.
    Is it possible to read Weblogic security Metadata?
    Appreciate your thoughts on this.
    Thanks
    Bees

    Was my answer correct? If so, please indicate so (top right of my last post). If not, then what was your answer?

  • Can not see 5 security alert on OTN

    I can not see following alerts since 5/16/2003 from the URL
    http://otn.oracle.com/deploy/security/alerts.htm
    Could OTN please check to see what happend?
    oracle connection manager control SUID vulnerability
    oracle internet directory buffer overflow vulnerabilities
    oracle internet application server and web/portal vulnerabilities
    oracle enterprise manager backup and recovery vulnerability
    oracle SQL*net and net8 listener vulnerability

    Thanks- this was fixed.
    OTN

  • Alternate method of implementing EBS-OBIEE security

    We have tried implementing the EBS-OBIEE security as per Metalink Note ID 555254.1(without SSO). How ever, we realised that for cookie based integration to work, both EBS, OBIEE URL need to reside on the same domain. At client location, the applications are hosted in different domains.
    Any tested/proven alternative method, where we can pass the EBS responsibilities (say Operating Unit) to OBIEE?
    Regards
    KSK

    Hi all,
    yes, the session variable ':USER' is not picking the user name, but when i hard code it to 'BI_ADMIN" this works fine.
    i have tried the following formats in the place of ':USER':
    VALUEOF(NQ_SESSION.USER)
    VALUEOF(NQ_SESSION."USER")
    VALUEOF("NQ_SESSION.USER")
    UPPER(VALUEOF(NQ_SESSION.USER))- checking if any problem with case
    None of them worked.!!
    When I remove the whole " USR.USER_NAME=':USER'
    the sql runs fine..please help

  • Reader X - Getting Security Alert with a data filled PDF form

    My site uses PDF forms that have their data filled in dynamically by the classic asp code on the site. Before Reader X version, they were filled and displayed without a problem. With Reader X they display the security warning: "Data from this site is blocked to avoid potential security risks....." and the Options button to trust the site. I get this even thoguh it's the same site they are on already and I'm using an SSL cert for all files and I'm also using a direct link to generate the PDF.
    I know the user can just click the options and make the problem go away but many users seem unable to read and or panic when they see the alert.
    Is there a security setting or trust setting I can add or set in my form so that I will not get this security alert??

    No, apart from creating a certified document, but the user would still have to add you as a trusted source. If a document could override this, it would be rather pointless to have it in the first place.

  • Outlook Security Alert - "the name on the security certificate is invalid or does not match the name of the site"

    Due to our company changing names, we recently moved to a new domain. All users were at first getting a certificate error when opening Outlook "the name on the security certificate is invalid or does not match the name of the site." After our network
    admin made some changes, nobody receives this error anymore except one user. The URL at the top of the security alert is the old domain, mail.olddomain.com. I checked the users Exchange Proxy Settings in Outlook, everything is showing the URL's of the new
    domain so I'm not sure where this is coming from. I'm assuming it has to be something on her local machine since she is the only one who still gets the error.
    Thanks in advance for any help.
    Exchange server 2008
    Outlook 2010

    Hi,
    Please follow all above suggestions to confirm whether the issue happens in OWA. And run Test E-mail AutoConfiguration in Outlook to check whether there is any URL settings using the old domain.
    If the issue doesn’t happen in OWA and your URL configurations are all same as others and set correctly, please create a new Outlook profile to have a try.
    Thanks,
    Winnie Liang
    TechNet Community Support

  • Exchange 2010/Outlook 2010 Security Alert (...there is a problem with the site's security certificate.)

    I've been looking to resolve this issue for a while now and was hoping someone could help me understand my options.
    We have Exchange 2010 & Outlook 2010 in our environment. I've created a SSL cert for our ActiveSync from a reputable CA and unfortunately, as you may not be surprised, we are seeing an alert each time we open Outlook that states:
    "Security Alert; Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
    The name on the security certificate is invalid or does not match the name of the site."
    Of course my internal server name does not match my external server name. So the SSL I had created for use with OWA and ActiveSync is rejected by my internal Outlook clients.
    After doing some research I believe this is related to the Autodiscover service being configured with my internal server name and not my external name. 
    I've found some info about adding New-AutodiscoverVirtualDirectory and Set-ClientAccessServer commands and then found this article that might help.  (Configure
    Outlook Anywhere to Use Multiple SSL Certificates) but nothing is specific to my configuration and I'm concerned about what will happen to my existing configuration if this fails. 
    What happens when you run Set-ClientAccessServer? Does it retain and keep the old server config in place and add a new one or does it wipe it out? Will all of my devices need to be reconfigured?
    Same with New-AutodiscoverVirtualDirectory.  Does this simply add another virtual directory or is it going to overwrite my existing config?
    Then there is the question of whether or not any of this will actually address my issue at all.
    absolutezero273c

    Sorry.
    "[PS] C:\Windows\system32>Set-ClientAccessServer -Identity MailExt -AutoDiscoverServiceInternalUri "https://MailExt
    .contoso.com/autodiscover/autodiscover.xml"
    The operation couldn't be performed because object 'MailExt' couldn't be found on 'DomainController2.contoso.local'.
        + CategoryInfo          : NotSpecified: (0:Int32) [Set-ClientAccessServer], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : 4D980455,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer"...is the error I get.
    I've created the split zones and populated the Forward Lookup Zones as follows:
    CONTOSO.COM
    MailExt(CNAME)MailInt.contoso.local
    _tcp _autodiscover(SRV)MailExt.contoso.com
    CONTOSO.LOCAL
    MailInt(A)192.168.1.10
    MailExt(CNAME)MailInt.contoso.com
    One thing I did notice is that there isn't a _tcp _autodiscover entry for MailInt in my Forward Lookup Zones.  It was recommended that I make that entry for _tcp _autodiscover(SRV)MailExt.contoso.com in another post I read somewhere.
    I believe what I am trying to do is create a new autodiscover object as is shown here:
    I see there is a Get-ClientAccessServer & Set-ClientAccessServer command but I need to add a CAS. Does the Set-ClientAccessServer add or simply modify?
    Or would that require the New-AutodiscoverVirtualDirectory command? I read
    this page that discussed creating new virtual directories but that seemed a little risky without knowing all the ins and outs of how this service functions and to what degree this would affect the existing configuration.
    I was able to use the Set-ClientAccessServer command and change the actual internal autodiscoverUri to https://MailExt.contoso.com/autodiscover/autodiscover.xml but the name still says MailInt and I continue to get the SSL cert warnings because it is looking
    at MailInt.contoso.local.
    absolutezero273c

  • Safari is frozen by a fake security alert, how do I resolve?

    Safari is frozen by a fake security alert.  How do I resolve on my MacBook Air using IOS 8.1.2 
    Error Message:
    "Safari - Alert
    Your Browser has been Locked because of Possible Infections found in your Machine. Due to which your Browser Might be Corrupted because of Suspicious Activity found.
    Major Security Issue
    For Immediate Assistance through our Apple Certified Technicians CALL:
    +1-855-337-8048 (Toll Free)"
    Thank you!

    The following comes from user stevejobsfan0123.
    Occasionally, a browser window may pop up with a scam message. Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus, and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. Most of these scammers, if you actually call the number, will ask you to install software giving them remote control over your computer. Do not do this either. This article will outline the solution to dismiss the pop-up.
    Quit Safari
    Though you will probably have to quit Safari, you can first try closing the tab by pressing Command + W. Sometimes, however, these pop-ups will not go away by attempting to close the tab, nor by clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.
    Relaunch Safari
    If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.
    This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.
    None of this Worked!
    If pressing Command + W does not work, and force quitting Safari and restarting the application with the Shift key held down does not get rid of the pop-up you will have to reset Safari. Normally, this can be done by launching Safari, then in the menu bar, going to Safari > Reset Safari. However, most pop-ups of this variety will block access to many of the drop-down menus in the menu bar. You will need to locate a file on the computer and move it to the trash. Make sure you quit Safari first (force quit if necessary).
    To start, open Finder. The press Command + Shift + G, or in the menu bar, select Go > Go to Folder. Type the following file path:
    ~/Library/Preferences
    Look for a file named com.apple.Safari.plist, and drag it to the trash. Then restart your Mac. After it reboots, try launching Safari. A new preferences file should have been automatically created, so no more action is required on your part, and the pop-up should now be gone.
    The Source of the Scam
    In addition to the FBI scam, there are a few webpages with bogus technical support pop-ups or "security alerts," claiming you have a virus as described earlier. These webpages include but are not limited to:
    macsecurityissue.com
    helpmetek.com
    applesecurityalert.com
    websternal.net
    newsalert.report-o.com
    mac-system-alerts.com
    geek-techies.com
    system-connect.com
    instants-pc-fix.com
    flasherrordetector.websiteviruscleaner.com
    safaricontact-help.com
    system-logs.info
    customer-help.in

  • Oracle Security Alert #48

    Does Oracle Security Alert #48 (bug 2642117) - Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server effect Oracle 8i v 8.1.6.0 database?
    I know the Oracle Alert states it effects Oracle 8i v 8.1.7, but I'm not sure if that would mean it effects older releases like v 8.1.6.0.
    Thanks

    Some clips:
    "Products Affected
    Oracle9i Database Release 2v, Version 9.2.x
    Oracle9i Database Release 1v, Version 9.0.x
    Oracle8iDatabase,Version 8.1.x
    Oracle8 Database, Version 8.0.x"
    "Currently there are no plans to release a patch for 8.0.5.x, 8.1.5.x, 8.1.6.x."

  • Air application throws security alert every time 'HTTPS' request made to server.

    Have a look at the following screenshot.
    On click of next button, application internally sends an https request. Appliction throws Security Alert dialog. The text can also be seen clearly.
    Strange thing about this alert dialog is that, it appears every time when application send a request in given session.
    If I run the same thing in flex (i.e. in browser), it asks for SSL handshake and that is also only once. So why it is happening here in case of Air.
    Regards,
    Prithvee Zankat.

    Back up all data. From the Safari menu bar, select
    Safari ▹ Reset Safari...
    Check these boxes:
    Clear history
    Remove all website data
    Uncheck all other boxes. Press return. Test.
    If Safari crashes immediately on launch and you can't do as above, hold down the shift key and launch it by clicking its icon in the Dock, then try. Failing that, ask for guidance.

  • Wrong PDF on Security Alerts Page

    On the Security Alerts page (http://otn.oracle.com/deploy/security/alerts.htm) there is a link next to "Buffer Overflow Vulnerability in Oracle9iAS Reports Server Alert #35, 05 June 2002" which links to a document called http://otn.oracle.com/deploy/security/pdf/reports6i_alert.pdf
    This document is actually a copy of the document for a different vulnerability "Buffer Overflow Vulnerability in Oracle Net (Oracle9i Database Server) Alert #34, 05 June 2002"
    Please fix it so we can read about the 9iAS Reports Server Alert!
    Thanks,
    -Otto

    Hi Otto,
    This should now be fixed on OTN but please let us know if you encounter any difficulties.
    Regards,
    OTN Team

  • Norton security alert high memory use for a specific file shared by millions

    current version microsoft xp. computer frequently goes into a scan type mode followed by a norton security alert high memory usage. causes major slowdown in system use

    current version microsoft xp. computer frequently goes into a scan type mode followed by a norton security alert high memory usage. causes major slowdown in system use

  • Java error - Oracle Security Alert for CVE-2010-4476

    I have come across this security alert described at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.htm l
    In summary - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.
    This vulnerability affects:
    Java SE
    JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
    JDK 5.0 Update 27 and earlier for Solaris 9
    SDK 1.4.2_29 and earlier for Solaris 8
    Java for Business
    JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
    JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
    SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
    Java for MacOS X 10.6 update 3 updates Java to SE 6 to version 1.6.0_22.
    Is anyone aware of new Java update for Mac that will fix this problem? If one doesn't exist, does anyone know when a new update will be available?
    Thanks.

    Hi Hussein,
    have you applied this? Please can you update?
    Our environment: 11.5.10.2 (9.2.0.7)running on HP-UX PARISC. We are using Jinitiator. We are not yet migrated to J2SE Plugin.
    So, since the sercurity patch is for JRE, is that still required for our environment?
    Please advise?
    Edited by: oraDBA2 on Feb 13, 2011 9:12 PM

  • TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

    Hi,
    I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
    Can you guys please advise.
    Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
    Oracle Security Alert for CVE-2012-1675
    Thanks

    user097815 wrote:
    with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
    IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
    As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

Maybe you are looking for