Oracle Release Security Patches for Siebel

Oracle's  April  2013 quarterly  critical update contains eight (8) new security patches for Oracle Siebel CRM versions 8.1.1, and 8.2.2.  One (1) of the bugs can be remotely exploitable without authentication (that is, may be accessed over a network without requiring  a user name or password). This particular vulnerability has been given a CVSS base score of 6.0. 

How seriousness a threat this might turn out to be is measured according to the Common Vulnerability Scoring System (CVSS-SIG).  Information about Oracle's own flavor of CVSS-SIG can found in the  Use of Common Vulnerability Scoring System section of its website.

The modules where bugs are fixed include:

• Siebel Call Center
• Siebel Enterprise Application Integration
• Siebel UI Framework

The patches are scheduled to be released today, Tuesday April 16th.

Does Certification Matter?

An essay on Siebel certification by Alexander Hansal, Senior Principal Instructor at Oracle University

As an Oracle Siebel CRM instructor, I deal directly with certification on a regular basis. Companies like mine offer various kinds of credentials for users of their products. They also offer (and often require) certain training classes be completed before a candidate can sit for a certification exam. Over the last 13 years I have personally delivered many of these classes to students who later took exams. Frequently I am also asked to teach preparation workshops for companies that want to certify a group of their staff at the same time.

If I ask my students the value of IT certification I can get any response from “worthless piece of paper” to “the ultimate career booster”. When I ask them about the reason they are pursing certification most of them tell me:

“My employer wants me to be credentialed, so they can put me on this project”

This may be because most of my students work for either systems integrators or the IT departments of large corporations but they are representative.

In general, certification seems to split the IT community into camps of people who either loathe or love certification. Typing “does certification matter?” into your favorite search engine will yield plenty of blog posts, articles and documents on the topic. The essence of these in a nutshell is IT certifications are often used as filter criteria by HR especially for junior level staff but they are not always an accurate measure the real-life experience of the worker. The comments sections of these pages are full with stories related to a certified worker who didn’t have a clue how to accomplish the even the simplest of job tasks.

So the undeniable value of certification for most people is that it helps them secure a job in the first place. When a corporation invests thousands or millions of dollars or Euros in a system, the minimum requirement that those tasked with delivery can actually accomplish the job for seems to be the certificates they hold and this is especially true for third party consultants.

So, yes, to many of us, certification does matter.

How Decision Makers Regard IT Certifications

The split regarding the value of certification also shows in the following diagram which is based on a survey conducted by CompTIA in of 800 IT managers in the United States.

Image Source: CompTIA

The questions regarding “baseline set of knowledge”, “credibility”, “save me time and resources in evaluating” and “higher starting salaries” were agreed with by more than 50% of the managers and none of the statements was strongly disagreed more with than from 22% of the managers. This illustrates that most decision makers put value in certification but many of them do it only half-heartedly.

The next diagram from the same survey shows the factors used when evaluating IT job candidates.

Image Source: CompTIA

For 86% of the respondents, IT certifications are a factor for evaluating job candidates and for 52% of the respondents it is an essential factor. Yet experience far outweighed credentials when it comes to evaluating candidates. Factors which count even more than IT certification, include “quality of experience”, “record of steady growth”, “total years of experience” and “technical skills”.

Commitment

So while certification is no substitute for experience, I believe that when you pursue a career in IT, especially as in highly specialized area like Siebel CRM, you have to show commitment to your skills. Obtaining the certification is a reliable proof that you have made a commitment to become a true expert. But passing the exam in-and-of-itself does not make you an expert. Neither does memorizing questions much less skimming answers from a “brain dump”. It just shows a lack of commitment that will be revealed when you are face the first true challenges in the project.

Summing it up I would say that for those with decades of experience in the field, IT certifications may be something they hang on the wall and when they apply for new jobs, their experience will get them the position. Becoming an employee of a consultancy or systems integrator might make certification a necessity. But for the most junior employees certification combined with dedication and hard work will be the key to a successful career and a fulfilled work life

Further Reading:

Jeff Atwood from Coding Horror: Do Certifications Matter? 

Larry Dignan on the ZDNet blog: IT certifications matter, but validating them can be tricky 

Derrick Wlodarz on Technibble.com: 5 Reasons why IT certifications still matter 

Oracle University Certification Home Page 

Philadelphia Insurance Companies Wins “Contact Center of the Year”

Philadelphia Insurance Companies, a property/casualty and professional liability insurance company , was named the Gold Stevie Award winner for Contact Center of the Year in the Financial Services and Insurance Industry. The Stevie Awards for Sales & Customer Service recognize the achievements of call center, customer service, and sales professionals.

“We are very proud to receive this award", said Seth Hall, Vice President of Customer Service.  

Blog Post Describes How to Add Roll Up Views to Service Request Business Components

In his Siebel Essentials blog, Alexander Hansal describes how to create a roll up view of the Service Request business component similar to the Siebel Industry Applications (SIA) screen.  He writes:

"These views are part of the Global Accounts feature and provide some stunning insight into accounts that are part of a hierarchy. When you select a parent account, the views will show the rolled-up child records (activities, opportunities, etc.) for all child accounts in a single applet. A great resource for sales managers to get insight into a bigger account structure."

You can read more at Siebel Rollup Views.

How to Read the News About Siebel and Fusion

Source: Italian Voice

Lately there has been an unusual amount of news in the trade and financial press about Siebel software. The news is not really new and not really about Siebel. Instead most of it is about the merits of Oracle's (Nasdaq: ORCL) Application Unlimited strategy. For those unfamiliar with the term, Applications Unlimited is "Oracle's plan to continue enhancing our current applications product lines while simultaneously developing our next-generation Fusion Applications".

Oracle's web site is quite specific about continuing to support and invest in all the applications it owns and promising not to force existing customers to upgrade to new releases.  It also promises those customers who stay current on new releases will move closer and closer to Fusion as it evolves.

So far, Oracle has been well served by its Application Unlimited strategy. Although at the time I took a different view, when Oracle started acquiring companies, there was some doubt on the part of both customers and the financial community as to its intentions. Were they going to kill the products to eliminate competition? Oracle competitors painted a bleak picture of what was likely to happen both to application customers as well as the applications themselves should the acquisitions move forward. So far none of those dark scenarios has come to pass. Oracle has continued to fix bugs, make enhancements, and even, according to the analyst's rankings, offer market leading functionality in some key areas. 

Back in the day, because Oracle had not done any major acquisitions, there was also a lot of uncertainty as to how well the company would mange the often difficult task of merging different corporate cultures while still retaining value. Again these doubts  proved unfounded. Acquisitions have turned out to be a core competency of the company and Oracle has made billions in profitable revenue in the years since thanks to a culture that pushes decisions down to the right level in the organization.  

The Application Unlimited strategy has been a shining example of good decision making. Lately though, some people outside industry and in the trade press have begun to question it. They argue that by supporting Siebel, CRM on Demand, PeopleSoft, J.D. Edwards, and all the other applications in its product line, Oracle is allowing existing customers to delay, or even avoid, purchasing Fusion. They even point to greater percentage growth that SAP has achieved in the last few quarters as a proof point.

At the same time the Application Unlimited strategy has been questioned there have been a number of articles calling ORCL stock a good buy. My experience with the financial markets is limited, but generally if someone is pushing buying a stock is because they want to sell (although the reverse is not always the case). Since the company is, for the most part, firing on on all cylinders, one way to improve the balance sheet would be to sell a lot more Fusion to its installed base. In the short run, even an annoucement that Oracle is abandoning the Applications Unlimited strategy is likely to give the stock a bump up so the smart money can sell to the not as smart money.

Although Oracle makes plain its application strategy on its web site, it also hedges it commitment with the following language.

DISCLAIMER: THIS IS FOR INFORMATIONAL PURPOSES ONLY AND MAY NOT BE INCORPORATED INTO A CONTRACT OR AGREEMENT. THE DEVELOPMENT RELEASE AND TIMING OF FUTURE PRODUCT RELEASES REMAINS AT ORACLE'S SOLE DISCRETION.

How would changing the strategy effect the 25,000 or so people who develop, maintain, and support Siebel implementations for a living?  Well obviously it could effect them a great deal. In order to plan for the future, they need first of all to be aware of the issue and follow, and second, not to believe everything they read in the trade and financial press.

What Does a Siebel Administrator Do?

Although the work can be interesting, the requirements of the job of Siebel Administrator set it somewhat apart from other specialties. A Siebel Administrator can wear many hats in an organization, depending on the size and complexity of the Siebel implementation. Most Siebel jobs involve strong team work especially during development. The work of a Siebel Administrator (for the most part) is done individually, and follows a different rhythm than the soft development life cycle. Being a Siebel Administrator is sometimes like being a fireman!

First and foremost, a Siebel Administrator is responsible for keeping the various servers that a Siebel implementation depends on up and running. New implementations are rare, so that most of the time most of the work involves monitoring, maintenance, and troubleshooting.

Some of the skills a Siebel Administrator needs to have in order to be successful include a pretty thorough understanding of the Siebel Architecture, knowledge of Unix, Linux and shell scripting (since most Siebel implementations run on Unix Servers), and a general understanding of relational databases.

Like a fireman, who needs to work whenever there is fire, even on the nights, weekends, or holidays, a Siebel Administrator needs to work whenever there is a problem and work until the problem gets fixed.

The career path for a successful Siebel Administrator can lead to being a System Administrator, Siebel Architect, or Project Manager.

As long as there are Siebel implementations running, there will be a demand for Siebel Administrators and it is reasonable to expect you can retire as a Siebel Administrator.

Oracle offers Siebel 8 .1.x System Administration courses both online and in person.

This posting was prepared with help from Vishwas Bodani, William Russell, Will Greene and other talented Siebel Administrators who wish to remain anonymous. 

Is It Time to Move On from Oracle Siebel?

Has the Fat Lady Sung Yet?

If the fat woman in the Opera hasn't sung for Oracle Siebel quite yet*, she might be warming up her voice. Saleforce.com has adopted the industry lead from Siebel. Oracle itself has developed a successor product. Although Oracle adds some new customers every year, more organizations are turning off Siebel every year. At some point it will be time to move on. But are we at that point yet?

The Example of COBOL

50 years after it was first developed and 40 years after it was first declared obsolete the demand for people with COBOL skills has continued to grow and has never been greater. By the same token, the demand for Siebel skills has continued to grow year after year. Evidence of this can be found in the rise of wages paid to employees with Siebel experience. For the moment if you have developed Siebel expertise you can be confident one of the 4,500 companies that implemented the technology will give you full time employement or contract work, but that may change.

The Example of the Mainframe

It is a little known fact that IBM now sells more mainframes (by dollar value) now than it did in 1980. Year after year those companies that standarized on mainframes have found it more cost effective to continue to run than replace them with newer architectures. By the same token it still does not make business sense for many organizations to walk away from the millions of dolllars they invested in their Siebel implementations in favor of a new technology. As long as bugs continue to be fixed, new features added, Oracle or third party vendors continue to provide support, and a healthy maket for employees and contractors with Siebel skills exists the decision to turn off Oracle Siebel will be made case by case.

So What is Your Interest?

As an observer, I don't really care about Siebel technology but I do care about Siebel people. If some other technology replaces it and no one loses his or her job and no one get fired for being in the wrong place at the wrong time then great! But I fear that won't be case. Since the vendors have so much at stake financially it will be hard for them to be objective. You are busy with you life and your career an you might be so heads down that you won't see the sea change compning until its too late. Here is where the Siebel Observer can help - by acting as the canary in the coal mine. But you have to help me help you.

Our Mission

Drawing on our heritage as the best source of information about Oracle Siebel, our goal is to help you gage where Siebel is in its life cycle so you can best evaluate it as technology or as a career. Years of experience in the market, connections, and resources allow us to follow on this one technology better than anyone else. Although on the surface it seems like this should be a straightforward question, evaluating the career risk of working with Oracle Siebel is hard because most of the available information is not objective.

Help Support Our Mission

You can help support our mission to provide objective information about the current state of Siebel technology and evaluate the risk to your career by using the services provided on this site; job postings, job description writting, by subscribing to our newsletter. Think of it as an investment in your future.

*From the American sporting phrase, "It ain't over until the fat lady sings"

Westpac Purchases Siebel to Replace Mainframe Application

Banking Corporation (Westpac) one of the Australian "big four" banks and the second-largest bank in New Zealand has purchased Oracle hardware to run its MDM application, which is based on Oracle’s Siebel Universal Customer Master (UCM) solution. The solution enables Westpac to aggregate and manage customer data over the full customer lifecycle: capture of customer data, standardization and correction of names and addresses; identification and merging of duplicate records; enrichment of the customer profile; enforcement of compliance and risk policies; and the distribution of the “single source of truth” best version customer profile to operational systems.

As of November 2011, Westpac has 12.2 million customers, Australia's largest branch network with 1200 branches and a network of 2900 ATMs. The bank is Australia's second largest provider of home lending and Australia's and has the second most funds under management. The bank is Australia's largest business-banking lender and Australia's second-largest bank by assets.

Oracle Releases a Critical Patch

Oracle's  Winter  2013 quarterly  critical update contains ten (10) new security patches for Oracle Siebel CRM . Five (5) of them can be remotely exploitable without authentication (that is, may be accessed over a network without requiring  a username and password). This vulnerability has been given a CVSS base score of 5.0. 

How seriousness a threat this might turn out to be is measured according to the Common Vulnerability Scoring System (CVSS-SIG).  Information about Oracle's own flavor of CVSS-SIG can found in the  Use of Common Vulnerability Scoring System section of its website.

The Oracle Siebel CRM risk matrix is as follows:

CVE Identifier	Description
CVE-2012-1680	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Apps - Multi-channel Technologies). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Siebel CRM accessible data. CVSS Base Score 4.0 (Confidentiality impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N). (legend) [Advisory]
CVE-2012-1700	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel UI Framework). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Siebel CRM accessible data. CVSS Base Score 4.0 (Confidentiality impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N). (legend) [Advisory]
CVE-2012-1701	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Highly Interactive Web UI). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Siebel CRM accessible data. CVSS Base Score 5.0 (Confidentiality impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N). (legend) [Advisory]
CVE-2012-3168	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Core - Server Infrastructure). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM. CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-3169	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Core - Server Infrastructure). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP . Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM. CVSS Base Score 5.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-3170	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Core - Server Infrastructure). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM. CVSS Base Score 5.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-3172	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Apps - Multi-channel Technologies). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM. CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2013-0365	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Security). Supported versions that are affected are 8.1.1 and 8.2.2. Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Siebel CRM accessible data. CVSS Base Score 4.0 (Confidentiality impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N). (legend) [Advisory]
CVE-2013-0378	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Calendar). Supported versions that are affected are 8.1.1 and 8.2.2. Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Siebel CRM accessible data. CVSS Base Score 4.3 (Integrity impacts). CVSS V2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N). (legend) [Advisory]
CVE-2013-0379	Vulnerability in the Siebel CRM component of Oracle Siebel CRM (subcomponent: Siebel Calendar). Supported versions that are affected are 8.1.1 and 8.2.2. Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Siebel CRM accessible data. CVSS Base Score 4.3 (Integrity impacts). CVSS V2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N). (legend) [Advisory]

Due to possibility of an  attack,  Oracle recommends that customers apply these patches as soon as possible, but for more information see the Oracle Critical Patch Update Pre-Release Announcement - January 2013.

JotForm Test