Author: Spinnaker Support

Is Your Oracle Payroll Support Paying Off?

Dave Bass | VP Global Support Services 

Enterprise payroll relies on periodic tax and regulatory updates to function effectively. Tax rates and regulations change constantly, including revisions to federal, state, and local income tax withholding tables, which is why payroll support is critical and complex. These taxes can change throughout the year, so without timely updates to the withholding tables, companies cannot apply the correct rates and policies. 

Oracle Payroll customers with fully supported E-Business Suite (EBS) releases solve this issue through Oracle updates via quarterly and year-end patches. This works well until the product goes out of support, and those update patches stop. As of January 1, Oracle customers running EBS 12.1 or earlier get no Payroll support from Oracle—it’s not included with Sustaining Support. 

Those specifically on EBS 12.1.3 can purchase Oracle’s Market Driven Support (MDS), which is more expensive and provides some updates, but at Oracle’s discretion. Notably, MDS is not an ongoing solution. It’s merely a stop-gap support measure until 2023 for customers planning to upgrade to EBS 12.2. 

Because the need for ongoing tax and regulatory updates never stops, what can EBS Payroll customers do? 

Superior Oracle Payroll Support at a Far Lower Cost 

Fortunately, companies running Oracle EBS 12.1 and earlier can keep getting critical Payroll update patches without upgrading or relying on MDS by switching to Spinnaker Support. Increasing numbers of Oracle Payroll customers are moving to Spinnaker Support, and they get more than just continued Payroll update patches coming; they get superior quality live support at an average 62% lower cost.  

As an added bonus, Spinnaker Support delivers Payroll update patches not just quarterly as Oracle does, but every month, further reducing the chances of costly mistakes. The cost of tax and regulatory updates is included in our normal support service, so if a customer brings its EBS environment to us, the updates are part of the service if they’re running Oracle Payroll. 

We Support the Vertex Integration 

Oracle EBS Payroll uses Vertex as its taxation partner to calculate U.S. federal, state, and local taxes. Each customer is required to maintain its own Vertex license to receive the updates. When Payroll runs, it goes through the Vertex engine, which supplies the relevant tax amount information so that Oracle EBS can make the correct net payroll calculation.  

Customers can still use their same Vertex licenses when they switch to Spinnaker Support, which has its own proprietary Oracle/Vertex integration.  

You Have a Clear Choice 

Surveys show that 70% of Oracle EBS users are happy with their current versions of EBS, and a growing number are taking advantage of third-party resources from Spinnaker Support to keep their EBS running smoothly, including those using Oracle Payroll. Spinnaker Support can provide all the tax and regulatory updates and Vertex integration support that a customer might need to run their payroll accurately and effectively. 

So, if your company is running Oracle Payroll and getting good value from EBS 12.1.3 or earlier, the choice is clear: switch to expert third-party Oracle EBS support from Spinnaker Support. We can help to relieve tax update headaches, eliminate end-of-month and end-of-year closing headaches, and deliver higher value for your overall EBS investment. Eplore your options today. 

How Leading Organizations Optimize Their Database Infrastructure for Modernization and Cloud Migration

For most modern enterprises, data is the ultimate asset. That’s why, in recent years, one of the key strategies for successful businesses we’ve assisted is the improvement and transformation of all aspects of the data infrastructure. Regardless of whether the database is Oracle, SAP, Microsoft or open source, the focus on data availability, accessibility, and security can pay off handsomely. 

We also see that businesses quickly run into a number of roadblocks put there by their legacy database platforms. While older platforms have the advantages of stability and customization, they may not easily integrate with cloud-based solutions or the latest ERP, or they may not be well tuned or configured for security. This can put a business at competitive or operational risk. 

Aberdeen Strategy & Research has come to a similar conclusion. In recent research, they determined that the organizations that lead their markets are the ones that have deployed database modernization strategies. By re-designing their data foundations, they have reduced data complexity, improved overall security, and increased their ability to be agile and innovative. 

Aberdeen discusses the latest trends in enterprise database strategy in “How Leading Organizations Optimize Their Database Infrastructure for Modernization and Cloud Migration.” This new knowledge brief applies recent market research to discuss the challenges and missteps that can come with database modernization and how leaders effectively build a data infrastructure foundation. 

 

Download your copy today. 

What You Need to Know about JD Edwards Release 22

Brian Stanz | Vice President, Global Support Services

And just like that, EnterpriseOne 9.2 is Release 22! 

Wait…what happened? 

Oracle designated a new name for the latest JD Edwards EnterpriseOne release: Release 22. I view this as primarily a ‘marketing’ change. Nothing under the covers, as far as release numbering, has changed. You will still see Apps 9.2 and Tools 9.2.x throughout the documentation.   

Are you confused yet? Well, you don’t have to be.   

Oracle has decided to realign the JD Edwards EnterpriseOne 9.2 releases with how it publishes Oracle Database and Oracle Tech Stack releases. Going forward, releases will be named for the year published. So, Release 22 is for the calendar year 2022. You may see updates to Release 22 through 2022, and I would suspect that towards the end of 2022 you will start hearing about Release 23.  

Here’s a list of questions I’ve been answering for our customers. 

Is Release 22 a major upgrade release? 

The answer is no. This release follows just like the continuous innovation releases have previously.  There will be some application updates and new Tools innovations. For Release 22, you can find the details on the Oracle website. 

And of course, the JD Edwards team at Spinnaker Support is well trained and ready to help you with all your Release 22 questions and needs, including Digital Transformation (Orchestrator), UX One, and System Automation enhancements through our managed services offerings. 

Do I need to take this release? 

Well, that is totally up to what you need from it. After looking through the list of changes, I would suspect that unless you asked for a specific fix or enhancement from Oracle, you probably do not need this update. Check back to this blog post series as we’ll dive deeper into some of the new features contained in Release 22 and what they really mean for your business. 

How do I evaluate the support-cost benefit? 

Finally, you may be asking, why do I keep paying these extremely high maintenance costs to Oracle for minimal functionality changes and a self-service support model? Spinnaker Support can help you re-allocate and save some serious capital for other important IT projects, while at the same time giving you a much more robust service offering.  

If you would like to discuss how we can address the critical challenges in your JD Edwards ERP and make your life easier, please reach out today.

Employee Spotlight Series: Mic Buchanan, Senior Database Administrator

Larry Goldman | Senior Director, Product Marketing

In this installment of our employee spotlight series, we’re pleased to introduce you to Senior Database Administrator Mic R. W. Buchanan. Mic specializes in managed services and consulting for Microsoft SQL Server and Oracle Database. She joined Spinnaker Support in August 2021 as a part of the Dobler Consulting acquisition.

Spinnaker Support is proud to be recognized as one of the largest and most effective global vendors of database managed services, and Mic Buchanan and the rest of our database team are the reason. Our seasoned database professionals have become a trusted support resource to our growing roster of customers, and every year, they earn high customer satisfaction ratings.

Hello, Mic. What can you tell us about your role at Spinnaker Support?

Mic Employee Spotlight

Hi, I’m a Senior Database Administrator for Oracle and SQL Server. I work with our SpectrumDB Managed Services team, which supports our clients for installation and deployments, upgrades, maintenance, patching, day-to-day issues, and even projects—basically, all things database for Oracle and SQL Server. My team integrates with the client’s IT staff, whether supporting their DBA or becoming their DBA.

How did you get started in your career?

I graduated from University of Missouri at Rolla, and believe it or not, I didn’t take a single database class in college. I trained as a Linux Sysadmin and Unix C programmer, and Linux is still my native environment. When I see a prompt in a terminal window, “ls” is always the first command, even if the DOS prompt gets all finicky and says it doesn’t understand.

I’ve worked in managed services roles for several years now, supporting Oracle/SQL Server databases for companies all over the world. I put in the time to stay current in the technologies my clients use. I really solving whatever issues clients throw my way. It makes work fun and interesting and definitely keeps me on my toes!

When and why did you get started in database technology?

My first job out of college was working as a functional programmer—think basic “if-then” statements. It took me around three months to move into programming in Unix-C full time. From there I discovered PL/SQL and Oracle, and a year after that I became a full-time database programmer and consultant, mostly extending Oracle EBS code.

I learned the Oracle data dictionary early on, which guides extensions with wide-ranging applications—everything from manufacturing to HR to workflows to projects. It’s always challenging to extend Oracle code while making sure my work my work won’t be undone by patches.

My customizations work evolved into custom application database development. After that, I had the opportunity to move into DBA, my dream job! Now when I say, “I had the opportunity,” what I mean is, my mentor basically threw me into the job of DBA after I pushed the database one too many times while playing with parallel processing for a massive data project. After waking him up late at night a few times to bring the DB back up or tweak a parameter, he pushed management of all the DEV/UAT boxes to me. Then, a year or so later, he moved on, and I took his place.

After I’d worked for about five years as an Oracle DBA, the market for Oracle DBAs in Oklahoma was stagnating, and so I shifted to SQL Server, and Oracle took a back seat. When I joined Dobler, I had the opportunity to do my work 100% remotely, and I also got a better balance between Oracle and SQL Server clients.

It’s been a long road, with many interesting challenges and chances to work on many interesting puzzles, and it’s also been a lot of fun. This team is amazing. Without them, I wouldn’t be able to do what I do.

What do you most like about working with your customers at Spinnaker Support?

In a word, “variety.” I thrive on it, and I have an awesome mix of clients. Some of them follow my recommendations to the letter, and their systems have fewer issues. Some don’t, and then I get to solve some very interesting puzzles. I love digging into an issue and going “elbow-deep” until the solution comes into focus.

I was very excited recently to have an opportunity to help with one of our third-party support clients. I did a detailed database assessment and identified several issues that were impacting performance. Assessments are a wonderful way to help clients meet their goals and understand the tremendous impact of bringing our managed services experience and support to enhance their internal teams.

Do you have a recent example of going “above and beyond” to help a customer?

Yes, about two years ago, one of my clients had a developer who’d suddenly become very ill and had to leave. This developer/DBA had had free reign to develop and design a database and application. The application was very slow, and the data warehouse had ballooned to more than 6 TB. I wrestled with how to make the database smaller and more efficient. There were plenty of fits and starts, and it was a very demanding project, but in the end, I reduced the database to 1.6 TB.

Reports that had taken 5-6 hours to run now ran in 15 minutes. It took a huge amount of effort, but I’m proud of the work I did, and I’m ecstatic that it all worked out. The best part is that the client was way beyond “satisfied” with the work. I mean, they’d expected some improvement, but they were just blown away with the level of performance they ultimately got.

What’s one piece of support advice you would give to a database customer?

Follow database standards. If the database technology recommends something, don’t ask why, just do it. It will make your system easier to maintain, and over the lifetime of the system, it’ll save you money.

What do you like to do when you’re not working miracles for your clients?

I absolutely LOVE to travel. I visited Guatemala recently, over the holidays, which was wonderful. I’m planning an island-hopping trip to Greece, or maybe hiking the Incan Trail in Peru. I am not sure which one yet, but either way, it’ll be great!

I am also really into martial arts. I’m a level-5 kick boxer, and I’m working on my Blue Belt in Taekwondo. I’m at the gym four nights a week. I’ve been doing it for about 10 years, and it’s a great way to both stay in shape and reduce stress and relax after a long day of mental labor. Sometimes, when I get a little wound up at home, my kids will say, “Mom, are you going kickboxing today?”

I have to say, the kids really keep me grounded and remind me of what’s important in life. They’re the center of my world, and they inspire me to make our family as self-sufficient as possible. We have chickens, and I love to grow vegetables in my garden. “Dirt therapy” is a real thing! “Nix,” our Great Pyrenees dog, helps with the chickens and guards our family like a champ.

Winning Strategies to Achieve Salesforce Success, Part 3

John Lange | Senior Manager, Product Marketing 

In Part One of this blog post series, we reviewed the high-level findings from the third-party research report titled, “Winning Strategies to Achieve Salesforce Success.” The research delves into the key strategies that Salesforce decision makers, architects, developers, and administrators reported they used when conducting major Salesforce projects. In Part Two, we drilled down into the first winning strategy: how to kick off major Salesforce projects.  

In this post, we review the second winning strategy that revolves around every programmer’s favorite word: Agile. 

Winning Strategy #2: Be Agile – Roll Out New Functionality Incrementally  

Companies may be tempted to go with a “Big Bang” approach when rolling out new Salesforce features and functionality by releasing a large swath of updates across a business. There may be a time and place for that approach, such as launching a new cloud. But research indicates that method is more likely to fail than succeed and should be avoided unless absolutely required.  

The research recommends an Agile approach that allows businesses to release functionality at a consistent pace that users can absorb. Incremental deployments are less likely to disrupt a business and mitigate the risk of failure. This approach puts elements of the new features into play before an all-at-once approach could, and that generally makes for happier stakeholders, customers, and users. 

Here’s What Survey Respondents Had to Say: 

“Use an iterative approach not only to get the most important user stories handled first, but to keep making room for user feedback.” 

“What’s worked for us is creating precise, small rollouts. Keep sprint planning tight. Agile is not just a project management shift, it’s a mind shift to apply to every step of the work.” 

“Deliver changes incrementally starting with the biggest business problem, then addressing the next-biggest problem. This gets the most urgent needs fixed first rather than making everyone wait for everything.” 

“Plan the implementation to roll out in chunks and make sure users are involved throughout. A lot of their feedback on one release will inform your work on the next release.” 

Access the Full Research Report 

This report, “Winning Strategies to Achieve Salesforce Success,” provides you with advice and lessons learned from seasoned Salesforce professionals that are achieving Salesforce success.  

Spinnaker Support invests in third-party research so that the market has important insights about how to realize their Salesforce aspirations. 

Download the complete research 

Let Us Help You Realize the Full Power of Salesforce 

To learn more about how we help businesses capitalize on their Salesforce investment, check out our managed services offerings and consulting capabilities. 

Video: How Application Managed Services Improves Integrity Reporting for JD Edwards Customers

John Lange | Senior Manager, Product Marketing

Integrity reporting is a sensitive topic for many JD Edwards admins and engineers. Notification of any imbalance in a software table is the equivalent of a five-alarm fire. Not good!

When integrity problems arise, financial reports are incorrect, which is a serious problem. At times, the culprit for integrity reporting issues and batch errors can be the interfaces.

In our newest video, Dale Wade, Spinnaker Support’s Manager of Support Services for JD Edwards, details how Application Managed Services helps customers proactively ensure that reporting is accurate, timely, and reliable. Dale also reviews how Spinnaker Support coordinates z-file processes for global companies, saving them time and eliminating their stress.

Watch the Video Now!

We Are Ready to Help You!

Many JD Edwards customers are familiar with CNC technical managed services, which include proactive maintenance and monitoring, code updates, system health checks, and security review and design.

But Spinnaker Support goes beyond CNC services to offer an array of Application Management Services (AMS). With AMS, we become responsible for identifying out of balances for you – and then take action. Our customers appreciate the hands-on experience we provide because it makes their lives easier through staff augmentation, advisory, and additional technical know-how that’s ready at a moment’s notice to solve serious problems.

If you would like to discuss how we can make your life easier, by addressing the critical challenges in your JD Edwards ERP, please

Spinnaker Support: Helping Companies Achieve Excellence Everyday

6 Things to Know about Oracle’s Tactics if You’re Considering Third-Party Support

Larry Goldman | Senior Director, Product Marketing 

If you have contracts with Oracle, you already know the tech behemoth is a master of making you feel powerless. Whether you’re contending with contract changes, renewals, or an audit process, leverage with Oracle always seems to be in short supply. 

Meanwhile, serious dollars are at stake for your company. Third-party support can be an excellent opportunity to save your company money. But Oracle uses support fees to practically fund the company’s existence, and its contracts were written to all but ensure you require Oracle’s support in perpetuity. 

While Oracle would have you believe there’s no path to a third-party provider, it’s simply not true. Thousands of organizations have already made the switch. Your challenge is often timing: Many support contract renewals are set for May 31, the end of Oracle’s fiscal year. This means now is the time to fully understand your contractual and operational situation. 

Knowing Your Contractual Rights and What Oracle Might Do 

Oracle contracts are designed to lock you in, maximize your spending, and open the door for penalties. So how can you use your contractual rights to your advantage when dealing with Oracle? To answer this, we reached out to Evan Boyd, vice president of business development at Software Licensing Consultants (SLC), a Spinnaker Support partner that specializes in all-things Oracle licensing.  

“It’s a great question but a complex one because no company has the same products or contracts,” Boyd said. “For each SLC client, we go deep into very specific strategic licensing plans and defense. At the same time, we work to educate Oracle customers on what to do and expect during the renewal period.” 

Boyd offered these six insights: 

  1. Know your contract, usage, and rights.
    Before you utter a word to your rep (if you even do that) you need to know your agreements forward and backward. Oracle certainly does. If you’re trying to move toward a third-party relationship, read the contract, know your rights, and ensure your organization is compliant. Otherwise, your good intentions could further trap you in your current circumstances. “Oracle will instruct you on issues not actually represented in your contract and even give you misleading or false information about what’s allowed,” Boyd said. “Never take Oracle’s word for it.” 
  2. Different contract end dates aren’t showstoppers.
    If you have multiple Oracle contracts with various end dates and a product you want to dump, that product may be tangled up in more than one agreement. Your Oracle rep would have you believe that, because of this, you can’t drop anything. That just isn’t true, but you need to know how to navigate the contracts.  
  3. Matching service level agreements can be confusing.
    A “license set” means all products related to each other via code base (e.g., Oracle Database), and “matching service levels” refers to Oracle’s policy that prohibits the canceling of support of a subset of products from within a license set. So, if you want to leave support for some versions of Oracle Database but not others, you will violate the contract. This can get complicated, so you must understand which products are on which contracts. Oracle will use this to insist you can’t move to third-party support. However, you can negotiate with them or move everything to third-party support and avoid these technicalities. 
  4. Pay for what you use, not what you own.
    When you’re getting support from Oracle, you pay support for everything within a support contract. It doesn’t matter what you use or don’t. If you prefer to pay for coverage on what you use rather than all the Oracle products you own, then a move to third-party support makes sense. 
  5. Don’t fear the audit.
    Many companies want to save money by moving to third-party support but freeze up in fear of a possible audit, where penalties often range well into the millions. Regardless of what your Oracle rep may say, this is not an audit situation. “Audits generally arise when your rep suspects there is reason for an audit that will bring them significant revenue,” Boyd said. “When you move to third-party support, you should always have a license assessment done to know your true license position based on how Oracle would audit.” 
  6. Oracle wants you in the Cloud — don’t do it.
    There has been a lot of noise in recent months about Oracle Executive Chairman Larry Ellison’s push to become a major player in the Cloud space, and sales reps are working hard to push customers toward Oracle Cloud Infrastructure (OCI). But with the Oracle Cloud comes forced Oracle support because, as with all Oracle support, it’s what’s best and most lucrative for Oracle. For existing customers, this Cloud push can come in the form of settling audits by forgiving penalties in exchange for coming aboard OCI, something Boyd says he’s seen frequently of late. This is also a strategy to get your on-premise licenses hosted on OCI under the guise of reducing future risk of license exposure. Once you’re on OCI, you’re required to maintain support with Oracle directly and it will be difficult to ever move to another provider. 

Understand Your Operations and Preparing for a Discussion 

If you have complicated contracts, it’s important to speak to an expert. At the same time, you need to move the process forward. We recommend these steps: 

5 steps to free yourself from Oracle

  1. Make sure you understand the basics of third-party support.
    This could be through researching the solution, comparing third-party support features and benefits against Oracle (e.g., such as for EBS), referencing online reviews in trusted places like Gartner Peer Insights, and learning about the customer experience. 
  2. Make sure you allocate enough time. 
    The length of an evaluation process can vary, but you will always speed up this process with thoughtful preparation. Beginning with the vendor kickoff meeting, you should establish a schedule and work to understand potential bottlenecks, dependencies, and deadlines. We have seen customers transition in less than a month, but others can take multiple months if there is less consensus and a slower organizational pace. 
  3. Build your business case. 
    Building your internal case does not have to be time-consuming or complicated. Work with IT decision makers and focus on areas like estimated savings calculations (here’s a handy online savings calculator), how much or little you’re utilizing patches or updates and whether there’s a growing backlog of tickets. 
  4. Gather the data required for discovery.
    Under a mutual nondisclosure agreement, the third-party vendor will begin the discovery process. You’ll likely be asked to complete a Product Questionnaire. The more the vendor knows about your Oracle needs, the more quickly and completely it can offer a reasonable estimate of cost and timing. 
  5. Engage your internal stakeholders early.
    Who will you need to enlist for Oracle negotiations? Who will help make the decision to switch to third-party software support? In addition to IT, this could include stakeholders from legal, security and finance. Carefully think this through and assemble your team early to be able to make the Oracle contract deadline. 

Hear from the Experts

Given the popularity of this topic, we reached out to industry experts who have helped Oracle customers navigate the challenging landscape of annual support contracts. The result is “6 Must-Know Oracle Tactics to Address if You’re Considering Third-Party Support,” an on-demand webinar that covers the topics above – and more.  

Join Evan Boyd, Vice President of Business Development at Software Licensing Consultants, and Bob Ludlam, Vice President and General Manager – Americas at Spinnaker Support, for a practical discussion of your contractual rights under Oracle and how to get ready to discuss third-party support. This includes to recent two case studies of businesses that have recently gone through the process of switching support from Oracle. Watch it now.SLC Webinar

Your Next Steps? 

If you have any questions regarding best first steps, contract rights or building your business case, reach out to us for a brief consultation. We’re glad to advise you on whether third-party support is the right fit for you and how to move forward confidently before May 31. 

UK Perspective: Relying on Oracle Software Support – a Dangerous Game?

Martin Biggs, Vice President and General Manager – EMEA 

Major companies using Oracle software may be surprised to hear that the support packages they are paying big bucks for maybe aren’t quite as comprehensive as they first thought. 

Oracle offers Premier Support packages for the first five years for most of its products. After that, if customers just love their current Oracle software support, they can buy Extended Support for an additional three years. If they continue to use the software after that period and do not upgrade, then Oracle will move them to Sustaining Support for as long as those product versions are supported. 

Oracle Database and Fusion Middleware, often the data workhorses of large companies’ operations, have originally involved big, complicated and sizable financial deployments into the bargain. Understandably, said companies aren’t that keen to constantly change or fully upgrade them. Oracle ultimately wants to move customers off older legacy software versions and support, thus keeping the cost of support and resources down. 

However, if companies manage to resist the charms of their Oracle sales executive when it comes to migrating to the cloud, preferring features that are not offered within the cloud products, they will instead usually relax with the safety net that is Oracle Extended Support. What they may not realise is that the next stage of support to keep the wheels on the wagon – Sustaining Support – comes with a significant cost and offers far fewer features and much less protection. 

Left Exposed by Sustaining Support 

While Oracle customers do get access to old fixes and the right to upgrade to the latest version, they DON’T get new bugs fixed or security updates. As cyber security and ransomware threats proliferate, this leaves many of the biggest companies in the world in a precarious position. 

Even when common, well identified vulnerabilities impact this older software, Oracle only patches the newer versions. 

Oracle is currently encouraging organisations to upgrade to its Version 19 Database. There is nothing wrong with running Version 11, for instance, as it is a stable and trusted version. But if something goes wrong, Oracle’s typical response is: ‘You must upgrade’. This can be an incredibly expensive, risky, and time-consuming activity, with near-zero additional benefits for many. 

At Spinnaker Support, we specialise in third-party software support for all versions of Oracle software. Recently, we onboarded a European telecoms firm for its Oracle Billing systems and Fusion Middleware. Their CIO was shocked to realise that over half of their databases don’t receive security updates from Oracle as they are over 8 years old. In fact, this has become problematic for a large portion of Oracle’s customers.  

Gartner has predicted: “The third-party software support market will grow from $351 million in 2019 to $1.05 billion by 2023 — a 200% increase.”1 No wonder why enterprise executives are seeking these options. 

A Wider Issue in the UK 

Our estimation is that in the UK alone, in the energy/utility, big retail, and banking sectors, up to 80% of organisations may well be on Oracle Sustaining Support, which means that some elements of the country’s critical national infrastructure are not fully protected from security threats.  

If something goes wrong, who will be responsible, and who will take the flack, when Oracle inevitably ends support with no option but to upgrade the software? 

View the full article here.

 

1 Gartner, Inc., “Predicts 2020: Negotiate Software and Cloud Contracts to Manage Marketplace Growth and Reduce Legacy Costs,” Jo Liversidge, Frances Karamouzis, Rob Wilkes, David Groombridge, James Smith, Christiaan Murphy, Dolores Ianni, December 18, 2019 

How Spinnaker Support Successfully Addressed the Log4j Vulnerability

When prospective customers ask me how we handle security issues, I explain our Security Philosophy and describe our Seven-Point Security Solution. For many, that’s enough assurance, but others can be more skeptical, wanting to understand exactly why we are confident in our capabilities. To answer that, I’d like to offer the story of how we addressed a recent, notorious vulnerability, and how we were able to provide a response to customers much faster than Oracle could. 

The Vulnerability that Made the News 

On November 24, 2021, researchers discovered a new vulnerability in a key piece of open-source software. On Thursday, December 9, the National Vulnerability Database published the information. When the cybersecurity world woke up the next day, it learned of the zero-day vulnerability (one that is announced but has not yet been patched) and reviewed its attack vectors. It was evident that the scale of the exploitation was going to be astonishingly difficult to comprehend. 

Due to the popularity of the affected software tool and its usage in most enterprise software, this vulnerability sent shockwaves through the software industry. Publishers were in a race against time to patch their products to mitigate the vulnerability. And the saga was far from over: new variants of the exploit started to emerge as well. 

This vulnerability is called Log4Shell (base CVE number of CVE-2021-44228), and you’re likely to have heard of it by now. It’s also widely referred to as “Log4j,” the name of the Apache logging library behind it. Everyone was talking about it, and we published recommendations for JD Edwards users in December.  

What is the Log4j issue? 

Let’s dig a little deeper to understand why this vulnerability is so problematic. Log4j is an open-source java logging library developed by the Apache Foundation. This library is used to log events and messages for development, operational, and security purposes. It’s free, and so it’s widely used in enterprise applications from various vendors including Oracle, SAP, IBM to name a few. So, it’s really out there. 

The vulnerability within Log4j was down to its “message lookup substitution” feature being enabled by default. This feature allows users to specify custom code for formatting a log message. Using this feature based on JNDI, an attacker could execute arbitrary code on a vulnerable system, thus gaining control to the same with a view to perform more intrusive and disruptive actions. Hence this is classified as a Remote Code Execution (RCE) vulnerability.  

To put it simply: Log4j has an extremely low attack complexity coupled with high-impact metrics, which is why this CVE (Common Vulnerability & Exposure) gained the highest possible CVSS score of 10.0 (CRITICAL). The fact that enterprise applications with Log4j are widely deployed in the global software ecosystem means that most companies likely have it in their systems. Any organization that has deployed an enterprise software from one of the major vendors in IT should be concerned about this vulnerability. 

Here are a few good sources if you want to find more on this vulnerability. 

How did we handle it? 

Software publishers are concerned only about their software, so they practice security by throwing “one-size-fits-all” patches (one after the other) at customers. They have no regard to the stability of their complex and potentially customized systems or the rest of the technical stack.  

Spinnaker Support takes a holistic “customer first” view to security. Our mitigations are not only based on industry standards but are developed for the long-term and take existing customizations into consideration. Our global security team always stay ahead of the curve by keeping abreast of emerging vulnerabilities in the cybersecurity landscape.  

As soon as the Log4j vulnerability was published, we immediately started analyzing it and were able to distribute our first draft response within two days. We kept our customers continuously updated with the emerging developments on this vulnerability to provide additional assurance on our service. 

In the case of Log4jshell, there were five separate vulnerabilities (to date) associated with it. The attack vectors for the Log4Shell CVEs have fallen into two categories, either exploitable Java code or Log4 configuration.  

The process for the CVEs targeting the Java Class included steps to find all Log4j-core*.jar files and remove the offending class from each of them. The process for the 3 CVEs for configuration settings was to provide steps to check the configuration settings and remove the non-default configurations.   

In comparison, how did Oracle handle it? 

As mentioned above, Log4j is an open-source library developed by Apache Software Foundation. It is not code that Oracle specifically wrote. Hence, any enterprise software publisher that uses this library should wait for Apache Software Foundation to inform them of the mitigation and/or resolution before they start creating patches and putting them through their generalization and testing. Only then are they released to customers.  

In contrast, Spinnaker Support can move ahead far more quickly. We understand our customer’s security posture for their Oracle software system landscape, and we use those insights to accelerate the development of mitigation measures. We then distribute those measures to customers in thorough and easy-to-follow instructions.  

For this vulnerability, we not only advised our customers on how to locate the affected library and to patch it with corrected versions (2.17 and above), we also extended our advice on how to identify and put preventive measures in place for this vulnerability and its variants. 

Log4jblog

How was our response received? 

Our nimble response to this CVE exemplifies our ability prioritize customer needs. We received praise for the rapid response and informative documentation. One customer commented: “The experience has been very good – Spinnaker are the poster child for documentation, especially on escalation.” 

You should recognize, however, that Log4j is exceptional. Most CVEs are not ranked a CVSS score of 10.0. They receive neither a speedy patch response nor widespread press coverage. That is why we normally deliver a layered, Defense in Depth approach to security.  

Instead of targeting CVEs, we focus on the weakness category, or Common Weakness Enumeration (CWE), providing layered system protection rather than individual product protection. Using a CWE approach means that we don’t typically have to drop what we are doing to address individual CVEs. 

An emphasis on CWEs can also yield faster results. Vendor patches focus on addressing each published CVE by individual product, which means that vulnerabilities in products often go unannounced or patches are not released for extended periods of time. We see this as counterproductive.  

Let’s Talk Security 

Many organizations have now mitigated their Log4j issue, but who knows when another critical vulnerability will appear? At Spinnaker Support, we help our customers to prepare as best as they can through our Customer Risk Review, Attack Surface Reduction, Security Resource Library, and Proactive Security Tooling. 

These security solutions and more come standard with our support, and our mitigations are for all software versions, even those no longer under the Premier Support or Extended Support phases. If you’re considering a move to third-party software support and are concerned about security, reach out for a conversation. We’re glad to discuss the case above, share other examples, or introduce you to our team of global security experts.

Video: Let’s Get Technical – The Benefits of CNC Managed Services from Spinnaker Support

John Lange | Senior Manager, Product Marketing

Worried about Oracle’s lessening support for the JD Edwards platform? Having a tough time hiring experienced JD Edwards software engineers? Struggling to enhance your JD Edwards environment?

In our newest video, Spinnaker Support’s Brian Stanz (Vice President, Global Support Services) and Chris Polston (Director, Support Services) discuss how we help keep our customers’ JD Edwards environments operating well for the long term. This also increases the JD Edwards return on investment – which is what every CFO loves to hear. 

Brian and Chris cover the seven key benefits of CNC managed services and how these services help ‘future proof’ your JD Edwards platform. ‘Upgrade’ is not the answer for everything, nor is a generic fix. Our goal is to work with you immediately to address an issue, not make you wait for the latest patch or release. When you use Spinnaker Support CNC managed services, you receive a rapid response and resolution. This can include the use of proactive tools to monitor and analyze potential issues in the application and database – well before they can negatively impact your operations. If you are an IT manager, system admin, or executive who plays a role in maintaining, improving, and managing a JD Edwards ecosystem, then this short video is for you.

We’d Like to Work with You

Thank you for watching this video about how we help businesses around the world get the most out of their JD Edwards investment. If you would like to discuss how we can help you extend the life of your JD Edwards ERP or how we can help transition your company to a new version, please reach out today

Spinnaker Support: Helping Companies Break Past Current Limitations