06 February 2015

Hyperion Financial Management (HFM) 11.1.2.4.0 cannot be fully secured

(If you don't know what HFM is or does, look away now!)

If you work in the Oracle EPM space, you know that the long-awaited version 11.1.2.4.0 has finally been released, without much fanfare. For HFM, this release marks a major turning point: core services have been deeply modified in order to make them run on Unix/Linux, and ASP.Net was entirely removed from the stack, so that HFM can be officially supported on Exalytics system running Oracle Linux.

HFM is built on the Microsoft C++ stack, so it was an arduous task to make it portable without throwing away a decade of development efforts. To Oracle's credit, the mission was basically accomplished; however, *nix shops will likely not be too eager to deploy 11.1.2.4.0 in production environments just yet -- nor will traditional HFM customers. This release is rough, with quite a few functional bugs (taskflows cannot be displayed; the interface does not fully work in IE11; and so on), and unfortunately security was another casualty.

If you enable SSL for internal communication between EPM components, all services should encrypt their network traffic. In order to do that, they have to be manually configured, installing identity certificates required by the SSL protocol; this is a standard operation in Weblogic, and documented for other components in the Security Configuration Guide. Unfortunately, the HFM application server:

  1. is not a Weblogic instance (at least not officially -- will clarify this later)
  2. is not documented in the Guide yet.

Straight out of the gate we have a problem -- what certificate will HFM use? Nevermind, let's assume there is one hardcoded somewhere (shock, horror!). We simply enable full-SSL in Common Settings:

Then activate SSL support in the HFM Application Server configuration task:

And we can see in the EPM Registry that these settings have gone in:

We then configure the rest of the stack to use SSL (which is quite trivial, these days), increase logging here and there (good practice when enabling SSL, since it helps with troubleshooting), restart our services and... it all works! Great! Hold on, what is this in the HFM log?

[2015-02-06T01:11:05.087+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property isSSL for HIT Registry component app24. [2015-02-06T01:11:05.132+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property isSSL from EPM registry, using default value :false. [2015-02-06T01:11:05.141+00:00] [FM] [ERROR] [EPMHFM-65559] [oracle.FM.HSSUTIL.oracle.epm.fm.hssservice.RegistryWrapper] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hssservice.RegistryWrapper] [SRC_METHOD: getRegistryProperty] Invalid property SSL_Port for HIT Registry component app24. [2015-02-06T01:11:05.141+00:00] [FM] [WARNING] [] [oracle.FM.HSX.SERVER.oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [tid: 10] [ecid: 0000KhSSAzEEgKYjLpqIOA1Kp1Ib000000,0] [SRC_CLASS: oracle.epm.fm.hsxserver.service.HsxServerServiceManager] [SRC_METHOD: init] An error occurred retrieving property SSL_Port from EPM registry, using default value :9092.[...] [SRC_METHOD: init] isSSLEnabled :false

Ouch, it looks like HFM is just ignoring our settings. Old-hat EPM infrastructure hackers at this point are probably thinking "Hold on, I know those 'not found' properties; they're usually seen on web-app nodes!" and that's exactly it. The HFM server fancies itself a web-app, and looks for web-app properties in its registry node; but that node is actually a custom non-standard type with non-standard properties "isSslEnabled" and "ssl_port" (lowercase).

To verify that HFM was not encrypting anything, I dusted off my miserable Wireshark skills and logged some network traffic.

As you can see in the screenshot, data originating from the HFM application server and using ports in the range used by HFM, are sending data down the wire completely unencrypted. Malicious actors could hide somewhere in your company network and silently siphon away all your precious financial data with minimal effort. If you care about security, you'll likely want to give this HFM release a wide berth, at least until this bug is fixed.

Bonus: The Strange Case of The Masqueraded Weblogic

As I mentioned above, the HFM application server is not officially a Weblogic instance. So why is it trying to look up registry properties typical of Weblogic instances? Maybe because it is, in fact, a bastardised Weblogic. If we look at the startup parameters configured in Windows Registry, we find the following:

What's that? A Weblogic parameter? Indeed it is. And why is it there? By default, Weblogic will use the cryptographic extensions found in the JDK (or JRockit) in which is running. By setting "nojce" to True, you can tell Weblogic to actually use its internal implementation of such extensions (which were probably developed by BEA back in the days, when crypto support in the JDK was a bit shaky). If you are bastardising weblogic, I guess you can also replace some of these classes with your custom versions, which is probably what Oracle was trying to do here.