Good morning Maros - What release of Oracle EPM/Hyperion are you folks running? We do a lot of technical managed services for clients and my rule of thumb is any release newer than 220.127.116.11 we encourage patching not only the Oracle EPM product stack but also the WebLogic, Java and other Fusion Middleware components (i.e. OHS) to the latest supported versions at least 2 times per year (quarterly for the current release 18.104.22.168.x). The WebLogic vulnerabilities are potential risks whether or not they are internal/external facing or in a DMZ. In the end of the day, if someone wants to maliciously attack an ecosystem, better safe than sorry and here is very low risk in patching these components. Again - ONLY as high as the certified/support matrix allows them too per release version.
If you have any questions not he process, shoot me a note, we will be happy to help!
CVE-2019-2725 is applicable to Oracle Hyperion on premise installations. Our team has already developed a patch plan and have been deploying fixes across our client base. Vulnerability can still be exposed if malware is introduced inside of the network (e.g., through phishing or other means). Since this can impact an organization's sensitive financial data, it is advised that action is taken.
Note: in general, there is more to it than the Web Logic patches as per the original Oracle post since there other components to consider (outside of the organization's internal security protocols).