Oracle ATG

Expand all | Collapse all

On-Premise Patches

  • 1.  On-Premise Patches

    Posted 08-30-2018 10:03
    Are you not sure if you are current on the latest patches for ATG and Endeca On-Premise? Patch sets are detailed on My Oracle Support in 'Oracle Commerce ATG Product Version Numbering and Patch Downloads' (Doc ID 1486966.1). For Endeca On-Premise, patches are detailed in 'How to Locate Patches for Oracle Commerce Guided Search (Doc ID 1644960.1). PipelinePros will be working closely with Oracle Support to share details as new patches are released and will be shared in the PipelinePros Newsletter and this thread.

    Jesse Howard
    PipelinePros, Oracle Commerce User Group
    Lexington KY

  • 2.  RE: On-Premise Patches

    Posted 08-30-2018 11:58
    If anybody is planning to run Oracle Commerce 11.3 on JBoss EAP 7, there are a few patches you will need. It is shocking that Oracle isn't proactively pushing these to customers because the application is insecure and unusable in a production environment without these patches:

    Bug 27578976: When running on JBoss 7.0 EAP, http-only and secure options are not configurable. This means it is not possible to set your JSESSIONID cookie with the "secure" and "HttpOnly" which opens the application up to XSS attacks.

    Bug 27507725: HTTP Session leak with JBoss 7.0. Sessions are never garbage collected, so the application will run out of memory fairly quickly in a production environment depending on traffic and heap size.

    Bug 27740904: Combined defect including inability to apply a hotfix, CLASSPATH order not preserved, NPE with CreateUnpackedEarTask

    Joe Conaty
    VP, Business Development
    Commerce Architects
    Spokane WA