Oracle Critical Patch Update
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 310 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2017 Critical Patch Update: Executive Summary and Analysis.
Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available here.
Applying PATCH SET UPDATE 12.1.0.2.0 – CPUOCT2017
Patch Set Update and Critical Patch Update October 2017 Availability Document (Doc ID 2296870.1)
Basic Steps to be followed in applying patches by the DBA:
Patch Installation Prerequisites
To take a backup of the binaries, do the following tar of the binaries home. Oracle also automatically takes a backup during opatch apply and stores it in “.patch_storage” under the $ORACLE_HOME where you apply the patch. This will be used during rollback, if the apply fails
1) Download patches and carefully read the README.TXT of patch
Check your Database Release Number:
sqlplus / as sysdba
COL PRODUCT FORMAT A40
COL VERSION FORMAT A15
COL STATUS FORMAT A17
SELECT * FROM PRODUCT_COMPONENT_VERSION;
PRODUCT VERSION STATUS
—————————————- ————— —————–
NLSRTL 12.1.0.2.0 Production
Oracle Database 12c Enterprise Edition 12.1.0.2.0 64bit Production
PL/SQL 12.1.0.2.0 Production
TNS for Linux: 12.1.0.2.0 Production
OR
SELECT version FROM v$instance;
select * from v$version;
select comp_name, version, status from dba_registry;
This will help you download the correct patches
These patches may have been downloaded and are Located in your VM in /home/oracle/software/112040_*/patches or in your Dropbox Folder shared in class under software.
Before downloading the patch, use the “Conflict Checker Tool for Patches” to Check if there are pre-equists or conflicts with this patch.
While in MOS before download, use “Conflict Checker Tool for Patches” to check for pre-requisits, or conflicts on already installed patches i.e. Analyze for Conflicts in MOS:
How to use Conflict Checker:
While downloading a patch, attach the inventory text file (generated by the command “opatch lsinv” found in $ORACLE_HOME/cfgtoollogs/opatch/lsinv)
Check whether any currently installed one-off patches conflict with the PSU patch as follows:
Use My Oracle Support Document 1321267.1 Database Patch conflict resolution to determine, for each conflicting patch, whether a conflict resolution patch is already available, and if you need to request a new conflict resolution patch or if the conflict may be ignored.
$ORACLE_HOME/OPatch/opatch lsinv
cd $ORACLE_HOME/cfgtoollogs/opatch/lsinv OR
cd /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/lsinv
ls –lart
lsinventory2017-12-28_12-00-11PM.txt
Note: Upload the list of patches file, lsinventory2015xxx when running the Patch Conflick Checker Tool
- Login to metalink or MOS.
- Click “Patches & Updates” link on top menu.
- On the patch search section enter patch number and select the platform of your database.
- Click search.
- On the search results page, download the zip file.
Conflict Checker reveals 2 Conflicted patches & ask to download:
p17030189_112040_Generic.zip – LOGMINER GG DICTIONARY SUPPORT : MISSING ATTRIBUTES (Patch)
Downloading and installing the latesh Opatch version – if required as per the readme of the patch:
Below are the steps for downloading and installing the latest opatch version.opatch is very much useful for applying the database patches to fix various bugs and it is very much important to have the latest version.
Please download the latest OPatch version from My Oracle Support (MOS) – if required by the patch readme.txt
a) Click on the “Patches & Updates” tab
b) In the “Patch Name or Number” field type 6880880
c) In the “Platform” field select the relevant platform
d) Click the Search button.
e) Select the patch that corresponds to the Oracle release installed:
6880880 Universal Installer: Patch OPatch 11.2
f) Click the Download button
Once the above task is done copy the patch to $ORACLE_HOME directory and move the previous OPatch directory to separate directory in OS.We can use winscp or ftp for copying this patch from MOS to windows and
than windows to linux Box.
Note:
Copy all the the patches to the Linux server, say in /home/oracle/software/PSU_11.2.0.4.161018 :
Install latesh Opatch – Update OPatch :
You must use the OPatch utility versionversion 12.1.0.1.7 or later to apply this patch. Oracle recommends that you use the latest released OPatch version for 11.2, which is available for download from My Oracle Support patch 6880880 by selecting the 12.x.x.x.0 release.
Update OPatch
You must update or install the latest OPatch to avoid the errors listed below.
$ORACLE_HOME/OPatch/opatch lsinventory
# What is the current version of opatch?
$ORACLE_HOME/OPatch/opatch version
OPatch Version: 12.1.0.1.3
You will need the latest OPatch binaries which have been downloaded in
/home/oracle/software/112040_Linux-x86-64_rdbms/patches
p26713565_121020_Linux-x86-64.zip
Check current opatch version:
$ORACLE_HOME/OPatch/opatch version
OPatch Version: 11.2.0.3.4
Save & Install current opatch:
cd $ORACLE_HOME
mv OPatch OPatch_old_12.1.0.1.3
cd /home/oracle/software/112040_Linux-x86-64_rdbms/patches
or copy OPatch zipped file to OH
unzip p6880880_122010_Linux-x86-64.zip
or Copy Opatch to Oracle_Home
cp -r OPatch $ORACLE_HOME/
$ORACLE_HOME/OPatch/opatch version
OPatch Version: 12.2.0.1.11
Go to below mentioned path to see all opatch commands & descriptions:
$ cd $ORACLE_HOME/OPatch/docs/
vi Users_Guide.txt
GRID – ASM
3.1.2 Environments with Grid Infrastructure (GI)
If you are installing the PSU to an environment that has a Grid Infrastructure (GI) home, note the following:
- Grid Infrastructure PSU 11.2.0.4.161018 Patch 24436338 should be applied to the Grid Infrastructure home and Database home using the readme instructions provided with the patch
2) Unzip the patch file – carefully read the README.TXT of patches again
Get Readme.txt from Oracle Support or from the unzipped patch folder
cd /home/oracle/software/112040_Linux-x86-64_rdbms/patches/PSU_11.2.0.4.6_INCLUDES_CPUAPR2015
unzip p20299013_112040_Linux-x86-64.zip
cd 20299013
ls -lart
You may move the Readmehtml file to your windows pc for reading with a browser
3) Check if there are conflicts
3.1.4 One-off Patch Conflict Detection and Resolution
A new My Oracle Support Conflict Checker tool is now available from the Patch Search results page. This tool enables you to upload an OPatch inventory and check the patches that you want to apply to your environment for conflicts.
If no conflicts are found, you can download the patches. If conflicts are found, the tool finds an existing resolution to download. If no resolution is found, you can request a solution and monitor your request in the Plans region.
The fastest and easiest way to determine whether you have one-off patches in the Oracle home that conflict with the PSU, and to get the necessary conflict resolution patches, is to use the Patch Recommendations and Patch Plans features on the Patches & Updates tab in My Oracle Support. These features work in conjunction with the My Oracle Support Configuration Manager. Recorded training sessions on these features can be found in Document 603505.1.
However, if you are not using My Oracle Support Patch Plans, the My Oracle Support Conflict Checker tool enables you to upload an OPatch inventory and check the patches that you want to apply to your environment for conflicts.
If no conflicts are found, you can download the patches. If conflicts are found, the tool finds an existing resolution to download. If no resolution is found, it will automatically request a resolution, which you can monitor in the Plans and Patch Requests region of the Patches & Updates tab.
Determine whether any currently installed one-off patches conflict with the PSU patch as follows:
export PATH=$ORACLE_HOME/OPatch:$PATH:
cd /home/oracle/Downloads/
unzip p26713565_121020_Linux-x86-64.zip
cd 26713565
- ls -lart
$ORACLE_HOME/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Or do:
export PATH=$ORACLE_HOME/OPatch:$PATH
- opatch prereq CheckConflictAgainstOHWithDetail -ph ./\
Prereq “checkConflictAgainstOHWithDetail” passed.
OPatch succeeded.
If it succeeds, then skip to Apply Patch below.
If Prereq “checkConflictAgainstOHWithDetail” failed.
Following patches have conflicts. Please contact Oracle Support and get the merged patch of the patches :
17030189, 24006111
Whole composite patch Conflicts/Supersets are:
Composite Patch : 24006111
Conflict with 17030189
Detail Conflicts/Supersets for each patch are:
Sub-Patch : 20299013
Conflict with 17030189
Conflict details:
/u01/app/oracle/product/11.2.0/db_1/rdbms/admin/prvtlmcb.plb
Following patches have conflicts: [ 17030189 24006111 ]
Use the MOS Patch Conflict Checker “https://support.oracle.com/epmos/faces/PatchConflictCheck” to resolve.
See MOS documents 1941934.1 and 1299688.1 for additional information and resolution methods.
Note:
Patch conflict resolution (Doc ID 1299688.1)
Database Patch Conflict Resolution (Doc ID 1321267.1)
How to Rollback a Failed Interim Patch Installation (Doc ID 312767.1)
We already downloaded the conflicting patch – p17030189_112040_Generic.zip above
So this patch must be installed prior to this CPU:
Patch 17030189: LOGMINER GG DICTIONARY SUPPORT : MISSING ATTRIBUTES
|
|
|
|
|
When downloading this patch, pay attention to the version of Oracle Release: 11.2.0.4 or 11.2.0.4.6 or etc
cd $ORACLE_HOME/.patch_storage/17030189*
sh rollback.sh
To rollback a patch, please use ‘opatch rollback’.
NOTE: JDK should be present in the Oracle Home to rollback Java Archives.
About to modify Oracle Home( /u01/app/oracle/product/11.2.0/db_1 )
Do you want to proceed? [Y/N]
N
Rollback the patch using OPatch
cd /home/oracle/software/PSU_11.2.0.4.161018/
unzip -o p17030189_112040_Generic.zip
cd 17030189
cd /home/oracle/software/PSU_11.2.0.4.161018/17030189
$ORACLE_HOME/OPatch/opatch rollback -id 17030189
OPatch succeeded.
4) Backup your System & DB – This should be a Tested Fallback Strategy or mechanism to used if the patch fails and cripples the system.
To Patch, start by doing backup (rman) of your DB (if you already have a database created) – use your regular sripts or even do a cold backup.
a) Full Backup of Database.
Preferably, do an rman Incremental Updatable backup with your backup scripts:
/u01/app/oracle/admin/CLASST/scripts/backups/rman/CLASST_Backup_Merge_Incrementals_NoCat.sh
b) Set a Restore Point in sqlplus for rman:
sqlplus / as sysdba
CREATE RESTORE POINT start_patching_Dec_28_2017 GUARANTEE FLASHBACK DATABASE;
select SUBSTR( NAME , 1, 30),GUARANTEE_FLASHBACK_DATABASE,SCN from v$restore_point;
If you are using a Virtual Machine, take a Snapshot of the VM
Shut down all instances, listeners & OEM associated with the Oracle home
lsnrctl stop
sqlplus / as sysdba
show parameter db_name
shutdown immediate
exit
emctl stop dbconsole
Kill any process running from the Oracle Home being patched:
ps -ef|grep ora_
ps -ef|grep oem_
ps -ef|grep oracle
I see a process running from $ORACLE_BASE or $ORACLE_HOME, I will kill it:
oracle 12833 1953 0 22:25 ? 00:00:29 /u01/app/oracle/agent12cr4/core/12.1.0.4.0/jdk/bin/java -Xmx128M
kill -9 12833
c) Backup $ORACLE_HOME & OraInventory
cd /u01/app/
ll
tar -zcvf oraInventory_Dec28.tar.gz oraInventory
d) Backup the Oracle software directory – db_1 (if it has not been backed up or if time permits)
$ tar -zcvf /u01/app/oracle/product/12.1.0/dbhome_1/db_1_Oct7.2016.tar.gz /u01/app/oracle/product/12.1.0/dbhome_1
3.2 Patch Installation Instructions (PSU)
Conflicting patches should be rolled back before applying the patch, otherwise opatch apply will report conflicts again.
Follow these steps:
- If you are using a Data Guard Physical Standby database, you must install this patch on both the primary database and the physical standby database, as described by My Oracle Support Document 278641.1.
- If this is an Oracle RAC environment, install the PSU patch using the OPatch rolling (no downtime) installation method as the PSU patch is rolling Oracle RAC installable. Refer to My Oracle Support Document 244241.1 Rolling Patch – OPatch Support for RAC.
- If this is not a Oracle RAC environment, shut down all instances and listeners associated with the Oracle home that you are updating. For more information, see Oracle Database Administrator’s Guide.
- Rollback any patches found during the One-off Patch Conflict Detection.
- Set your current directory to the directory where the patch is located and then run the OPatch utility by entering the following commands:
unzip p26713565_121020_Linux-x86-64.zip
opatch apply
- Install all resolutions to conflicts found during the One-off Patch Conflict Detection.
- If there are errors, refer to Section 5, “Known Issues”.
Actions:
cd /home/oracle/Downloads/26713565
ls -lart
$ORACLE_HOME/OPatch/opatch apply
OR do:
export PATH=$ORACLE_HOME/OPatch:$PATH:
opatch apply
Do you want to proceed? [y|n] y
Email address/User Name: Don’t enter your address as you don’t have a CSI N
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y
Is the local system ready for patching? [y|n] y
Log file location: /u01/app/oracle/product/11.2.0/db_1/cfgtoollogs/opatch/opatch2016-11-08_10-52-07AM_1.log
OPatch succeeded.
OPatch may fail with errors like:
1)
Prerequisite check “CheckActiveFilesAndExecutables” failed.
The details are:
Following executables are active :
/u01/app/oracle/product/11.2.0/db_1/lib/libsqlplus.so
Solution:
Check all terminals and exit sqlplus or any applications.
2)
OPatch found the word “warning” in the stderr of the make command.
/u01/app/oracle/product/11.2.0/db_1/sysman/lib/ins_emagent.mk:52: warning: ignoring old commands for target `nmosudo’
OPatch completed with warnings.
Solution:
If you read the readme file – It already mentioned to ignore those errors along with doc ids
3.3.1 Applying Conflict Resolution Patches
Apply the patch conflict resolution one-off patches that were determined to be needed
3.3 Patch Post-Installation Instructions
3.3.2 Loading Modified SQL Files into the Database
The following steps load modified SQL files into the database. For a RAC environment, perform these steps on only one node.
- For each database instance running on the Oracle home being patched, connect to the database using SQL*Plus. Connect as SYSDBA and run the catbundle.sql script as follows:sqlplus / AS SYSDBASTARTUP
exit
cd $ORACLE_HOME/OPatch
./datapatch -verbose
- Check the following log files in $ORACLE_HOME/cfgtoollogs/catbundle or $ORACLE_BASE/cfgtoollogs/catbundle for any errors:
This patch now includes the OJVM Mitigation patch (Patch:19721304). If an OJVM PSU is installed or planned to be installed, no further actions are necessary. Otherwise, the workaround of using the OJVM Mitigation patch can be activated. As SYSDBA do the following from the admin directory:
cd $ORACLE_HOME/rdbms/admin
sqlplus / as sysdba
SQL > @dbmsjdev.sql
SQL > exec dbms_java_dev.disable
Upgrade Oracle Recovery Manager Catalog
If you are using the Oracle Recovery Manager, the catalog needs to be upgraded. Enter the following command to upgrade it. The UPGRADE CATALOG command must be entered twice to confirm the upgrade.
rman catalog username/password@alias
UPGRADE CATALOG;
UPGRADE CATALOG;
EXIT;
3.4 Patch Post-Installation Instructions for Databases Created or Upgraded after Installation
There are no actions required for databases that have been upgraded or created after installation of PSU 11.2.0.4.161018.
$ORACLE_HOME/OPatch/opatch lsinventory
Oracle Database 11g 11.1.x.x.x
Check installed patches:
set linesize 120
column action_time format a15
column action format a10
column version format a10
column description format a50
select to_char(action_time,’DD-MON-YYYY’) as action_time_2, patch_id, patch_uid, action, version, description
from dba_registry_sqlpatch order by action_time;
ACTION_TIME PATCH_ID PATCH_UID ACTION VERSION DESCRIPTION
———– ———- ———- ———- ———- ————————————————–
28-DEC-2017 26713565 21602269 APPLY 12.1.0.2 DATABASE PATCH SET UPDATE 12.1.0.2.171017
Ureeeh – You have successfully applied a PSU patch.
After Testing and Approval, drop the Restore Point created at the beginning of this process:
sqlplus / as sysdba
select SUBSTR( NAME , 1, 30),GUARANTEE_FLASHBACK_DATABASE,SCN from v$restore_point;
drop RESTORE POINT START_PATCHING_OCT_7_2016 ;
select SUBSTR( NAME , 1, 30),GUARANTEE_FLASHBACK_DATABASE,SCN from v$restore_point;
If you are using a Virtual Machine, delete the Snapshot of the VM created at the beginning of this process:
Backup your database again.
QzaGlTCWEOkDHSf
qxGVMHfUTsFD