Friday, 31 March 2023

vulnerability observed after installation of oracle binary 11.2.0.4,

 

Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU and Update" (OJVM PSU and OJVM Update) Patches (Doc ID 1929745.1)

What is "Oracle JavaVM Component Database PSU/Update" ?
 Which Patches are Applicable to which Homes ?
  
 OJVM PSU/Update
 What is the "Mitigation Patch" ?
 JDBC Patch
  
 What Should I Do ?
 Grid ORACLE_HOMEs
 Database ORACLE_HOMEs
 Summary of Patching Approaches for Database ORACLE_HOMEs
 Client ORACLE_HOMEs
 Important Information about OJVM PSU/Update Patches
 Using the Mitigation Patch
 Applying the Mitigation Patch
 Effects of Activating the Mitigation Patch
 Temporarily Enabling Creation/Update of Stored Java Objects
 Applying an "Oracle JavaVM Component Database PSU" Patch with the Mitigation Patch Already Installed
 Questions and Answers
 Additional Notes
 Modification History
Contacts
References

APPLIES TO:

Oracle Database Cloud Exadata Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Oracle Database - Personal Edition - Version 9.2.0.8 and later
Oracle Platinum Services - Version N/A to N/A
Oracle Database Exadata Express Cloud Service - Version N/A and later
Information in this document applies to any platform.

DETAILS

This document gives information about:

  • Oracle JavaVM Component Database PSU patches and Release Update (Update) patches

  • Mitigation steps that can be used to protect against Oracle JavaVM vulnerabilities in any database version from 9.2.0.8 onwards .

ACTIONS

 

What is "Oracle JavaVM Component Database PSU/Update" ?

Oracle JavaVM Component Database PSU/Update is released as part of the Critical Patch Update program from October 2014 onwards.
It is a cumulative patch, consisting of two separate patches:

  • One for JDBC clients - applicable to Client, Instant Client, Database and Grid ORACLE_HOMES.
    This is referred to as "JDBC Patch" in the rest of this document.

  • One for the Oracle JavaVM component within the Oracle Database - applicable to database ORACLE_HOMEs only.
    This is referred to as "OJVM PSU/Update" in the rest of this document.
    As of January 2015 the "OJVM PSU/Update" patches include all fixes from the "JDBC Patch".

For situations where the latest OJVM PSU/Update cannot be installed immediately there is a Mitigation Patch that can be used, Patch 19721304.

Risk information on the vulnerabilities can be found in the "Oracle Database Server Risk Matrix" information, which is listed for each quarterly cycle here:

  • https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Which Patches are Applicable to which Homes ?

The table below shows which Oracle JavaVM Component patches are required in the various ORACLE_HOMEs.

Oracle JavaVM Component Patch Applicability
VersionType of HomeOctober 2014Jan 2015 - Apr 2016Jul 2016 - present
21c and laterAll HomesN/A - 21c was released in the summer of 2021N/A - 21c was released in the summer of 2021none - the OJVM component patch has been incorporated within the 21c Database Release Update (RU) patch



12.2.0.1, 18c, and 19c


Database Home

N/A - 12.2 was released in the spring of 2017N/A - 12.2 was released in the spring of 2017OJVM Update (Jul 2017 - present)

 

Grid HomeN/A - 12.2 was released in the spring of 2017N/A - 12.2 was released in the spring of 2017none
Client / Instant Client HomeN/A - 12.2 was released in the spring of 2017N/A - 12.2 was released in the spring of 2017none



12.1.0.2


Database Home

OJVM PSU (Oct 2014)

(or Mitigation Patch 19721304)
OJVM PSU (Jan 2015 - Jul 2016)

(or Mitigation Patch 19721304)
OJVM PSU (Jul 2016 - present)

(orMitigation Patch 19721304)

Grid HomeNoneNoneJDBC Patch (Jul 2016) Patch 23727148
Client / Instant Client HomeNoneNoneJDBC Patch (Jul 2016) Patch 23727148


12.1.0.1,
11.2.0.4,
11.2.0.3,
11.1.0.7


Database Home

OJVM PSU (Oct 2014)
and JDBC Patch (Oct 2014)

(or Mitigation Patch 19721304 and JDBC Patch)

OJVM PSU (Jan 2015 - Jan 2016) [includes JDBC fixes]
From July 2016 JDBC patch comes as one-off.
(or Mitigation Patch 19721304 and JDBC Patch)
OJVM PSU (Jul 2016 - present)

(orMitigation Patch 19721304)

Grid HomeJDBC Patch (Oct 2014)JDBC Patch (Oct 2014)JDBC Patch (Jul 2016) Patch 23727132
Client / Instant Client HomeJDBC Patch (Oct 2014)JDBC Patch (Oct 2014)JDBC Patch (Jul 2016) Patch 23727132
Other VersionsDatabase HomeMitigation Patch 19721304Mitigation Patch 19721304Mitigation Patch 19721304


Latest patch availability information can be found in Note 888.1, "Primary Note for Database Proactive Patch Program"

 

OJVM PSU/Update

OJVM PSU/Update patches:

  • include critical fixes for the Oracle JavaVM component within the Oracle Database

  • are packaged separately from the Database PSU/Update (or equivalent) as they cannot be installed in a RAC Rolling manner, nor in Standby First manner.
    Keeping them separate allows customers to choose the most appropriate patching approach for each system
    • Oracle has also released "Combo" patches that bundle the OJVM PSU/Update in the same ZIP file as DB PSU/Update and/or GI PSU/Update for ease of download. The OJVM component in these "Combo" patches is in a separate subdirectory with its own install steps still required. October 2014 "Combo" patches do not include the JDBC Patch.

 

While most customers will want to adhere to the legacy principle that OJVM PSU/Update patches cannot be installed in a RAC Rolling manner, and simply follow the README file instructions that are included with each OJVM PSU/Update patch, you should be aware that potential alternatives exist.

Database Release 18c and 19c
Beginning with OJVM Release Update 18.4 and later (including 19c and beyond) the OJVM Release Updates are now Oracle RAC Rolling installable. However, the rollback to older versions such as 18.2 and 18.1 will be Non-Rolling. To use the RAC Rolling approach, out-of-place patching of the Oracle Home is mandatory, as is the use of database services and SRVCTL to control instance and service operations. For further information, please refer to MOS NOTE 2217053.1, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"(OJVM PSU/RU) Patches.

Database Release 12.2
The OJVM Release Update (RU) patch is not Oracle RAC Rolling installable. However, the OJVM RU may be installed in a "Conditional Rolling Install" fashion for the following use cases:

  • No OJVM usage
  • OJVM used by non-critical jobs and programs
  • OJVM used by critical functions isolated as services
  • OJVM used extensively, not isolated, and downtime is tolerated
  • OJVM used by critical functions and minimal downtime is required

Review My Oracle Support Document 2217053.1 for details on how to make use of this "Conditional Rolling Install" option.

Database Release 12.1.0.2
The OJVM Release 12.1.0.2 PSU patch is not Oracle RAC Rolling installable. However, starting with the Jan2017 OJVM PSU patchset for 12.1.0.2, the OJVM PSU may be installed in a "Conditional Rolling Install" fashion for similar use cases.  See My Oracle Support Document 2217053.1 for more details.

Database Release 11.2.0.4
The OJVM Release 11.2.0.4 PSU patch is not Oracle RAC Rolling installable. However, starting with the Jan2017 OJVM PSU patchset for 11.2.0.4, the OJVM PSU may be installed in a "Conditional Rolling Install" fashion for similar use cases.  See My Oracle Support Document 2217053.1 for more details.

 

  • are applicable to all database installations regardless of which patching model is used (DB Update, GI Update, DB Revision, GI Revision, DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)

  • require the database home to be patched to at least October 2014 DB PSU (or equivalent)

  • include binary changes to be applied to each Database ORACLE_HOME, and "post install" steps to be execute on each database running from the ORACLE_HOME

  • from January 2015 onwards: include the JDBC fixes
  • Oracle Database Release 12.2 does not need the JDBC fixes. Hence, only a quarterly Update for the OJVM component is provided.

For situations where the latest OJVM PSU/Update cannot be installed immediately there is a "Mitigation Patch" (Patch 19721304) that can be used as describe below.

What is the "Mitigation Patch" ?

For situations where the latest OJVM PSU/Update cannot be installed immediately there is a "Mitigation Patch" that can be used. The "Mitigation Patch" is an interim solution to protect against all currently known (Jul 2015) Oracle JavaVM security vulnerabilities in the database until such time as the OJVM PSU/Update can be installed. It can also be used to protect database versions no longer covered by error correction support.

The "Mitigation Patch":

  • is applicable only to database homes, not client nor Grid homes

  • is only applicable to databases that have JavaVM installed

  • has no dependency on the DB PSU/Update (or equivalent) level

  • can be installed in a RAC Rolling manner

  • is a SQL only patch that needs to be installed and activated in each database
    • hence it can be installed standby first but it requires SQL steps to be executed to be effective, which cannot be done on a read only standby

  • affects use of Java and Java development in the database

  • has been reviewed each cycle from January 2015 through January 2017 and provides mitigation against all currently known OJVM vulnerabilities

  • can be downloaded here: Patch:19721304

Read the "Using the Mitigation Patch" section later in this document to understand the impact of this patch.

JDBC Patch

The JDBC patches:

  • include security fixes for JDBC
    (Oct 2014 patches include fixes for CVE-2014-4289 and CVE-2014-6544 only)
    (July 2016 patches include fixes for CVE-2014-4289, CVE-2014-6544 and CVE-2016-3506 only)


  • are available packaged separately from the OJVM PSU and Database PSU (or equivalent) for ease of deployment to client environments

  • are applicable to Client, Instant Client and Grid ORACLE_HOMES The JDBC fixes are also applicable to the Database home regardless of whether Oracle JavaVM is used in a database or not:
    • For October 2014 the JDBC Patch should also be installed in the Database home
    • For January 2015 the OJVM PSU includes the JDBC fixes and so the JDBC patch does not need to be installed in the Database home unless OJVM PSU is not being installed yet
    • The JDBC Generic patches have been provided as a separate one-off from July 2016 so that all customers can install that without issue.
  • are applicable to all installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)

  • have no dependency on OJVM PSU nor Database PSU (or equivalent) patch level

  • can be installed in database server homes in a RAC Rolling manner

  • do not require the database and listeners to be shutdown for patching in non-RAC environments

  • do not require any post install steps be executed against individual databases

Latest JDBC patch availability information can be found in section "Which Patches are Applicable to which Homes?" of this note

 

What Should I Do ?

Grid ORACLE_HOMEs

Grid homes should be patched with latest GI PSU (or equivalentand the July 2016 JDBC patch.
OJVM PSU is not needed in the Grid home, only in the database home.

Database ORACLE_HOMEs

Oracle recommends applying the latest OJVM PSU/DBBP/Update patch to ALL databases that have Oracle JavaVM present in the database, regardless of whether you are explicitly using it or not. Even if Oracle JavaVM is not present in the database it is best practice to install the OJVM PSU/Update in case a new database is created in the ORACLE_HOME.

Oracle recommends applying the OJVM patch from the same quarter as the Database patch that has been installed. In cases where this match is critical, the OJVM patch will treat the Database patch as a prerequisite.

Run the following select in each database to check if it has Oracle JavaVM present (most databases will have JavaVM):

SELECT version, status FROM dba_registry WHERE comp_id='JAVAVM';
  • If "STATUS" is "VALID" then it is recommended to install OJVM PSU/Update for this database.

  • If no rows are returned OR "STATUS" is "REMOVED" then Oracle JavaVM is not present in the database. Although this database does not have JavaVM present it is still considered best practice to install OJVM PSU/Update to protect any database subsequently created in the ORACLE_HOME. Make a note of databases with no JavaVM present as: (a) you do not need to run OJVM PSU/Update post install steps on this database and (b) DB PSU/Update post install steps may report PLS-201 errors which can be ignored.

  • If "STATUS" is any other value there may be issues with the JavaVM install in the database. It is recommended to correct any issues with the JavaVM and then install OJVM PSU/Update.

There are four main patching approaches to protect databases that have Oracle JavaVM present:

(If you do not want to apply DB PSU/Update (or equivalent) at this time you can use option 3)

  1. If you can schedule an immediate outage:
    • Install the latest OJVM PSU/Update patch at the same time as the Database PSU/Update (or equivalent).
    • For October 2014 only: install the JDBC Patch at the same time as OJVM PSU and DB PSU

  2. If you cannot schedule an immediate outage and are running an Exadata or RAC database:
    • Install the Database PSU/Update (or equivalent), the JDBC Patch and the "Mitigation Patch" - these can be applied in a RAC rolling manner.
    • At some future time, when you can schedule an outage, install the latest OJVM PSU/Update patch.
    • You might also use this approach to minimize the full outage duration as it is only OJVM PSU/Update that requires a full outage.

  3. Make use of one of the potential alternatives that was discussed above, and is detailed in MOS NOTE 2217053.1, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"

  4. For other scenarios, such as using a database version that has no OJVM PSU/Update available, or if you do not wish to install the latest Database PSU/Update (or equivalent) at this time:
    • Install and activate the "Mitigation Patch" - this has no pre-requisites and patching can typically be performed with the database open.
    • At some future time take actions to get the system to the latest recommended patch levels.

The table in the next section shows the main steps involved in the above patching approaches.

Summary of Patching Approaches for Database ORACLE_HOMEs

This table is for patching database server homes only.

Customers using EM12c to automate patching should also see Document:1936634.1 "Oracle JavaVM Oct 2014 - Check compliance and automate patching using EM12c".

ApproachSummary Steps

Preferred approach
For versions 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2, and 12.2.0.1 and beyond.

Requires a complete outage.

Database/s are protected on completion of patching.

  1. Shutdown databases and services on all nodes
  2. If on a Windows platform, rollback the old OJVM patch.
  3. Apply DB PSU (or equivalent) but do NOT run DB PSU post install steps
  4. Apply OJVM PSU patch [see note-1 below]
  5. October 2014 only for DB versions below 12.1.0.2: Apply the JDBC Patch [see note-2 below]
  6. Run post install steps on all DBs in the patched home: [see note-3 below]
    • For 12.1.0.1 or later run "datapatch" post install steps
    • For 11.2.0.3 and 11.2.0.4 run the OJVM PSU post install steps followed by the DB PSU (or equivalent) post install steps.
    • For 11.1.0.7 run the OJVM PSU post install steps, then shutdown/restart the database before following the DB PSU (or equivalent) post install steps. [see note-4 below]
  7. Re-start any stopped databases / services running from this ORACLE_HOME

Alternative approach
For versions 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2, and 12.2.0.1 and beyond

Can use RAC Rolling patching method.

Database/s are protected once Java development is disabled.

Some legitimate JavaVM uses may be affected and require additional steps (eg: new privilege grants may be required, extra steps around patching / development operations using JavaVM may be required - see "Using the Mitigation Patch")

 

The OJVM PSU should still be applied at some suitable later time.

This 'Alternative approach' is not available for the Windows platform since on the Windows platforms the latest bundle reports conflicts with a previously installed OJVM patch. Use the 'Preferred approach' above instead.

  1. Shutdown instances and services on the local node
  2. Apply DB PSU (or equivalent) but do NOT run DB PSU post install steps
  3. Apply the "Mitigation Patch"
  4. Optionally apply the JDBC Patch [see note-2 below]
  5. Run post install steps on all DBs in the patched home:
    • For 12.1.0.1 or later run "datapatch" post install steps
    • For 11.2.0.4 or lower run the DB PSU (or equivalent) post install steps followed by the "Mitigation Patch" post install steps.
  6. Execute dbms_java_dev.disable on all databases in the patched home
  7. Re-start any instances and services

At some later point in time when an outage can be taken:

  1. Disable access to the database/s
  2. Execute dbms_java_dev.enable in each database
  3. Shutdown the database/s
  4. Apply OJVM PSU patch [see note-1 below]
  5. Start all DBs in the patched home in "startup update;" mode
  6. Run OJVM PSU post install steps on all DBs in the patched home
  7. Re-start all DBs in the patched home in "startup;" mode, and return them to service.

Alternative approach
For version 18.4 and later (including 19c and beyond) - Oracle RAC Rolling installation with rollback, out-of-place patching, and use of database services and SRVCTL restrictions.

For version 12.2.0.1 - "Conditional Rolling Install"

For version 12.1.0.2 beginning Jan2017 - "Conditional Rolling Install"

For version 11.2.0.4, beginning Jan2017 - "Conditional Rolling Install"

Please refer to MOS NOTE 2217053.1, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"

Mitigation only approach
For versions 9.2.0.8 onwards.
Has no pre-requisites.

Can be used if you do not wish to install the latest DB PSU (or equivalent) at this time.
Can use RAC Rolling patching method.
Can typically be performed with database open.

Some legitimate JavaVM uses may be affected and require additional steps (eg: new privilege grants may be required, extra steps around patching / development operations using JavaVM may be required - see "Using the Mitigation Patch")

 

  1. Shut down any services using JDBC from this ORACLE_HOME, such as dbconsole
  2. Apply the "Mitigation Patch"
  3. Optionally apply the JDBC Patch if available [see note-2 below]
    (The mitigation patch does not require the JDBC patch)
  4. Run the "Mitigation Patch" post install steps on all DBs in the patched home
  5. Execute dbms_java_dev.disable on all databases in the patched home
  6. Re-start any stopped services

Plan to upgrade / patch the system to a currently supported recommended patch level

Note-1IMPORTANT: Do not access the database after applying the OJVM PSU/Update patch other than to execute the post install steps - any attempt to execute Java after OJVM PSU/Update patch apply, but before the post install steps are complete, will result in ORA-7445 or similar errors. Once the post install steps have completed successfully then you can allow access to the database again. Install of OJVM PSU (Jan 2015 or later) will rollbaclk the JDBC Patch if it is installed as OJVM PSU includes those JDBC fixes.

Note-2: JDBC Patches are generic patches that are applicable to database ORACLE_HOMEs. JDBC clients running from the ORACLE_HOME should be stopped before patching, and restarted after patching is complete, so that they use the newly patched JDBC jar files. eg: EM database control uses JDBC. JDBC fixes are already included in 12.1.0.2 so there is no JDBC Patch for that version. JDBC fixes are included in the OJVM PSU patches from January 2015 onwards and so do not need a separate install step.


Note-3:
Post install steps depend on whether a database has JavaVM installed or not:

    • For each database with JavaVM installed:
      • Start the database in UPGRADE mode, run OJVM PSU/Update post install steps, shutdown and restart the database for DB PSU/Update post install steps.
        (It is not mandatory to use UPGRADE mode but some database configurations may report ORA-7445 errors if the DB is started normally before OJVM PSU/Update post install steps have been executed).
      • From April 2015 onwards the OJVM PSU/Update Readme and patching steps now use UPGRADE mode
      • In RAC environments the cluster_database parameter should be set to FALSE in order to STARTUP UPGRADE

    • For any database that has no JavaVM installed:
      • There is no need to run the OJVM PSU/Update post install step on this database
      • DB PSU/Update (or equivalent) post install steps will report PLS-201 errors against object INITJVMAUX. These errors can be ignored provided there really is no JavaVM in the database, otherwise the error should be investigated.


Note-4:
 11.1.0.7 requires a shutdown between the two sets of post install steps in order to avoid ORA-29532 errors.

 

Note-5: Datapatch can be run in STARTUP UPGRADE mode to apply post-patching script for both OJVM and DB PSU/Update.



General Notes:

  • Neither the mitigation patch nor JDBC Patch have a dependency on DB PSU (or equivalent), but OJVM PSU does.

    Customers using Data Vault should ensure this option is disabled before applying any PSU (or equivalent) patches and enable it again afterwards. See Document:948061.1 "How to Check and Enable/Disable Oracle Binary Options".


Client ORACLE_HOMEs

Client homes below version 12.1.0.2 should be patched with the July 2016 JDBC patch:

  • The JDBC Patch has no dependency on DB PSU (or equivalent) level

  • Applications using JDBC in the patched ORACLE_HOME should be stopped and restarted after patching to pick up the new jar files

  • It is advisable to check for copies of ojdbc*.jar files copied to other locations on client systems as patch install will only replace the ojdbc*jar files in the standard location in the ORACLE_HOME.

  • There may be other security content applicable to client homes included in DB PSU - review the "Installation Types and Security Content" section in the DB PSU README .

OJVM PSU is not required in client homes.

Important Information about OJVM PSU/Update Patches

The following information is applicable to the OJVM PSU/Update patches:

  • The patches are recommended to be applied to ALL databases that have Oracle JavaVM present in the database, regardless of whether you are explicitly using it or not.
  • The patches apply to database server homes only

  • The patches cannot be installed in a RAC Rolling manner and require an outage to install. While most customers will want to adhere to this legacy principle that OJVM PSU/Update patches cannot be installed in a RAC Rolling manner, and simply follow the README file instructions that are included with each OJVM PSU/Update patch, there are potential alternatives that were discussed above, and that are detailed in MOS NOTE 2217053.1, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"

  • The patches cannot be installed in a Standby First manner.

  • The patches require that the database home is already patched with at least October 2014 DB PSU [ or equivalent GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata for installations using these other patching models ].

    ie: The database home should be patched to one of the following before applying the OJVM PSU patch:

    • October 2014 SPU or later

    • DB PSU (or DB PSU component of GI PSU)
      • 12.1.0.2.1 DB PSU or later
      • 12.1.0.1.5 DB PSU or later
      • 11.2.0.4.4 DB PSU or later
      • 11.2.0.3.12 DB PSU or later
      • 11.1.0.7.21 DB PSU or later

    • Windows
      • Windows bundle patch 12.1.0.1.14 or later, but see OJVM PSU information in Document:161549.1
      • Windows bundle patch 11.2.0.4.10 or later, but see OJVM PSU information in Document:161549.1
      • Windows bundle patch 11.2.0.3.34 or later, but see OJVM PSU information in Document:161549.1
      • Windows bundle patch 11.1.0.7.58 or later, but see OJVM PSU information in Document:161549.1

    • Exadata
      • Database Patch for Exadata 12.1.0.2.1 or later
      • 12.1.0.1.5 GI PSU or later
      • Database Patch for Exadata 11.2.0.4.10 or later
      • Database Patch for Exadata 11.2.0.3.25 or later

  • Attempting to apply the OJVM PSU patch to an environment that is not at the required minimum patch level listed above will fail with relink errors.

  • Oracle has released "Combo" patches that bundle the OJVM PSU in the same ZIP file as DB PSU and/or GI PSU for ease of download. The OJVM component in these "Combo" patches is in a separate subdirectory with its own install steps required:
    • For October 2014 "Combo" patches:
      • Also download the Oct 2014 "JDBC Patch" for DB versions below 12.1.0.2.
    • For January 2015 onwards "Combo DB PSU and OJVM PSU" patches:
      • No separate JDBC patch is required as the JDBC fixes are included in the Jan 2015 OJVM PSU
    • For January 2015 "Combo GI PSU and OJVM PSU" patches:
      • Also download the Oct 2014 "JDBC Patch" to install in Grid Homes below version 12.1.0.2 if not previously installed.
    • For April 2015 onwards the "Combo GI PSU and OJVM PSU" patches include the Oct 2014 "JDBC Patch"
      • No separate download of the "JDBC Patch" is required for Grid Homes

  • It is important that the patch installation instructions (in the patch README file) are followed carefully:

    • In particular execute the OJVM PSU post installation steps against all databases in the Oracle Home that have Oracle JavaVM present. You should do this after the patch has been applied but before any other operation on the database. Failure to follow the instructions could lead to errors from user sessions or jobs that attempt to use the JavaVM.

    • If the OJVM PSU patch is applied at the same time as any other patch then execute the OJVM PSU post install steps before the post install steps of any other patch applied.

  • Customers with non-standard databases that do not have the Oracle JavaVM present will get PLS-201 errors during OJVM PSU post install steps or during DB PSU (or equivalent) post install steps. These PLS-201 errors can be safely ignored provided the database does not have an Oracle JavaVM present.
    • You can use the SQL "SELECT version, status FROM dba_registry WHERE comp_id='JAVAVM';" to check.

 

Using the Mitigation Patch

If you cannot take an immediate outage to install the latest OJVM PSU patch then a recommended alternative is to install and activate the mitigation patch in each database. This will protect against all currently known Oracle JavaVM security vulnerabilities but may interfere with some legitimate Oracle JavaVM uses.

  • The mitigation patch has no pre-requisites - it can be applied and enabled regardless of the current database version or patch level. Patches have been released for several versions that are no longer covered by Error Correction Support, but will not be produced for any version below 9.2.0.8.

  • It can be downloaded here: Patch:19721304 .

Note: The mitigation patch is only a temporary option - you should still plan to install the latest OJVM PSU patch as soon as possible.

Applying the Mitigation Patch

Note: Patch 19721304 is now included in the following 12.1.0.2 and 11.2.0.4 patches and therefore, in the following steps, Step 1 should be skipped (otherwise OPatch will report Patch 19721304 as a Conflict/Subset):

  • Database Patch Set Update
  • Database Bundle Patch (12.1.0.2.0 only)
  • Exadata Database Bundle (11.2.0.4.0 only)
  • Windows DB Bundle Patch
  • FA Database Bundle Patch
  • SAP Database Bundle Patch

 

1. Download and apply the relevant version of Patch:19721304 to each database ORACLE_HOME

2. Execute the patch post install steps against all databases running from each ORACLE_HOME. See the README supplied with the patch for post install steps relevant to the database version.

3. Check the patch logs for any errors and correct as required

4. Run the following step as a SYSDBA user to DISABLE Java development in the database:
  • SQL> exec dbms_java_dev.disable

The database is not protected until the dbms_java_dev.disable step completes successfully.

Effects of Activating the Mitigation Patch

The above mitigation patch steps will prevent creation of any new stored Java in the database. This includes attempts to create Java objects from SQL, import, loadjava, patching operations etc..

eg:
"CREATE FUNCTION oscar_quote RETURN VARCHAR2 AS LANGUAGE JAVA ..." operations will fail with errors like:
ORA-00604: error occurred at recursive SQL level 1
ORA-02290: check constraint (SYS.JAVA_DEV_DISABLED) violated
"CREATE or REPLACE and COMPILE JAVA SOURCE named "MyJavaDbProcedure" as ..." operations will fail with error like:
ORA-00604: error occurred at recursive SQL level 1
ORA-20031: Java Development Disabled
ORA-06512: at line 4


Execution of dbms_java_dev.disable also:

  • Revokes public access to DBMS_JAVADBMS_JAVA_TESTDBMS_JAVA_MISCSQLJUTLSQLJUTL2 and JVMRJBCINV;
  • Creates a new role "ORACLE_JAVA_DEV" which can be used to grant back the privilege to individual users as needed;
  • Grants the role ORACLE_JAVA_DEV to users that have objects with static dependencies to one of the above packages.

As a result of the privilege changes applications that use database Java call-ins may fail with errors, and so may need explicit grants to give access to the relevant package.

eg:
After execution of dbms_java_dev.disable a client session might fail with errors like:
ORA-06550: line 7, column 2:
PLS-00201: identifier 'SYS.SQLJUTL' must be declared
ORA-06550: line 1, column 109:
PL/SQL: Statement ignored

To resolve this example issue you could grant execute privilege on SQLJUTL to the database user that makes the connection:

grant execute on sys.sqljutl to scott;


DBAs should carefully review which users receive grants to execute the above packages as they allow access to all Java classes.

Temporarily Enabling Creation/Update of Stored Java Objects

Use the steps below if you need to allow the creation / update of stored Java objects, including application of patches that affect stored Java or the Oracle JavaVM:

  • Connect to the database as a SYSDBA user

  • SQL> exec dbms_java_dev.enable;

  • Perform the steps required to create or replace Java objects, apply Java related patches etc..

  • SQL> exec dbms_java_dev.disable;

Be sure to end the steps with the call to "dbms_java_dev.disable" in order to protect the database.

Applying an "Oracle JavaVM Component Database PSU" Patch with the Mitigation Patch Already Installed

You must "enable" Java development prior to installing the OJVM PSU patch.

eg:
  • Disconnect users and prevent user access to the databases running from the ORACLE_HOME to be patched

  • "exec dbms_java_dev.enable;" in each database

  • Shutdown the databases

  • Follow the full steps to apply the OJVM PSU patch, including running post install steps against each database

Similarly, an ORA-20031 can occur during a rollback. To make sure that does not happen, you must enable Java in advance.

You do not need to "disable" Java development after patching with the latest OJVM PSU patch, unless you wish to do so.

Questions and Answers

  • Why should I install the patch if I do not use Oracle JavaVM ?
    • Databases include the Oracle JavaVM by default and so may be exposed to security vulnerabilities that are addressed by the latest patch.

  • Can I just uninstall Oracle JavaVM instead ?
    • The Oracle JavaVM is used by several database options and features and so should not be removed.
      For example, Oracle JavaVM is used by XDK, CDC, Spatial, InterMedia etc..

  • Do I need to take any action if my database was created in a non-standard manner and does not have Oracle JavaVM installed ?
    • If the database has been created without JavaVM then OJVM PSU is not applicable to that database. However, be aware that if a new database is created with JavaVM in an unpatched ORACLE_HOME that new database will not be protected. The preferred option is to install OJVM PSU but omit the OJVM PSU post install steps for the specific database/s that do not have JavaVM. If you do run the OJVM PSU post install steps PLS-201 errors will be reported - these errors can be safely ignored.

  • Can I use any OJVM PSU patch with any DB PSU patch ?
    • The database must be patched to at least October 2014 DB PSU (or equivalent SPU or Database Patch for Exadata) before an OJVM PSU patch can be applied.
    • On Windows platforms OJVM PSU patches have additional dependencies - see OJVM PSU information in Document:161549.1

  • Which database versions are OJVM PSU patches available for ?
    • OJVM PSU patches are released as part of the Critical Patch Update program and are only available for database versions covered by error correction support. As of January 2018 patches have been released for the following database versions:
      • 11.1.0.7
      • 11.2.0.3
      • 11.2.0.4
      • 12.1.0.1
      • 12.1.0.2
      • 12.2.0.1
    • Latest patch numbers and availability can be found in Document:756671.1 "Primary Note for Database Proactive Patch Program", or by following links in the latest Critical Patch Update under Document:467881.1.
    • For other database versions you can use the "Mitigation Patch".

  • On Windows platforms the latest bundle reports conflicts with a previously installed OJVM patch
    • It is normal and expected for the latest bundle to report conflicts with a previously installed OJVM patch. Each Windows bundle patch has a corresponding OJVM patch. The standard procedure to apply bundle and OJVM patch in windows environment is:
      • Rollback the old OJVM patch
      • Apply the latest bundle patch
      • Apply the latest OJVM patch

  • Do I need to patch database client installs with OJVM PSU ?
    • The OJVM PSU patch is not applicable for client installs
    • The JDBC Patch is applicable to client installs

  • Do I need to patch Java clients ?
    • For Java clients see the latest Critical Patch Update availability information for "Oracle Java SE"
    • Java clients using JDBC should also be patched with the JDBC Patch. If the ojdbc*jar files used by the client were originally copied from an ORACLE_HOME install then it is advisable to update those ojdbc*jar files after the JDBC Patch has been applied.

  • Do I need to remove the mitigation patch when I install the OJVM PSU patch ?
    • You do not need to rollback the mitigation patch, but you must execute "dbms_java_dev.enable" before applying the OJVM PSU patch.
    • With the mitigation patch left in place you can still use "dbms_java_dev.disable" if required.

  • Why does this document mention using STARTUP UPGRADE for OJVM PSU post install steps when the README does not?
    • ORA-7445 errors may be reported if anything in the database tries to use the JavaVM after OJVM PSU has been applied but before OJVM PSU post install steps have executed. This can affect databases using Change Data Capture (CDC), or databases with job/s that use JavaVM directly or indirectly etc.. This document suggests to use STARTUP UPGRADE for the OJVM PSU post install steps as that mode disables system triggers and jobs and so reduces the chance of something trying to use the JavaVM before the post install steps have completed. It is not mandatory to use UPGRADE mode, and in many cases it is not required. If you do hit ORA-7445 errors on a normal (or restricted) startup after applying OJVM PSU then using UPGRADE mode just for the OJVM PSU post install steps should allow you to proceed.
    • From April 2015 onwards OJVM PSU README now indicates to use STARTUP UPGRADE
    • In RAC environments the cluster_database parameter should be set to FALSE in order to STARTUP UPGRADE

  • Is there a problem if I ran DB PSU post install steps before OJVM PSU steps ?
    • It is valid to run DB PSU post install steps before OJVM PSU steps but this will result in additional invalidations / recompilations and may extend the period of time taken to complete the steps. Be sure to check the post install logs just in case there was some unexpected error.

  • How often are OJVM PSU patches released ?
    • Patches will be released as required at the same time as other Critical Patch Update patches.

  • Will future OJVM PSU be RAC Rolling installable ?
    • Technically, no. There are potential alternatives that were discussed above, and that are detailed in MOS NOTE 2217053.1, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"

  • Does OJVM PSU include non security fixes ?
    • OJVM PSU may include some high impact non-security OJVM fixes

  • How can I tell if the mitigation patch is installed and enabled ?
    • The mitigation patch creates a view called "JAVA_DEV_STATUS"
    • If the view is missing the mitigation patch is not installed
    • If view is present then selecting from the view should return a single row with column JAVA_DEV_ENABLED showing YES or NO to indicate if Java development is currently enabled (YES) or disabled (NO).

  • Why are there 2 entries for "jvmpsu.sql" in DBA_REGISTRY_HISTORY after applying DB PSU (or equivalent) and OJVM PSU ?
    • Depending on the exact patching order used DB PSU post install steps may also run the jvmpsu.sql script - this is normal and expected.
    • You should always run complete post install steps as documented regardless of content of DBA_REGISTRY_HISTORY.

  • Why do I get ORA-942 errors from DBMS_JAVA_DEV ?
    • This can occur if the database does not have a valid JavaVM installed.
      eg:
      • ORA-00942: table or view does not exist
        ORA-06512: at "SYS.DBMS_JAVA_DEV", line 54
        ORA-06512: at line 1
    • If you get such errors then check if the database has JavaVM installed (see earlier) - if not then no post install steps are required and the error can be ignored.

  • Do I need to run post install scripts for OJVM PSU after installing JVM manually inside the Database ?
    • Yes. If OJVM PSU is applied when there is no JVM inside the database, after installing JVM, run the post installation scripts for OJVM PSU.

  • Why is the prior OJVM PSU not rolled back when a later release is installed? And why is an older OJVM PSU reapplied when a later release is rolled back?
    • Beginning in OPatch 12.2.0.1.5 and 11.2.0.3.14 there is a behavior change in the way superset patches address subset. Additionally, in OPatch 12.2.0.1.5 OVM has been removed. Please see the note for additional information:Note: 2161861.1 OPatch: Behavior Changes starting in OPatch 12.2.0.1.5 and 11.2.0.3.14 releases

  • Can I apply the the OJVM PSU patch before running DBUA?
    • Yes. DBUA will perform the Post Install steps for the OJVM PSU after the upgrade completes

 

Additional Notes

OJVM PSU information available BEFORE 30/Oct/2014 contained incorrect information about patching requirements. See Document:1938931.1 if you used OJVM PSU information from before 30/Oct/2014.

 

Modification History

DateModification
19 October 2017Correct reported link problems
07 November 2017Add references to Patch 23727148
15 November 2017Recommend that OJVM and DB patch quarters (versions) match
27 November 2017Added statement that 12.2 does not need the JDBC fixes.
Added 12.2 to 'Patches Applicable' table
12 January 2018Update link to the "Oracle Database Server Risk Matrix" information.
Updated title of and references to Note 756671.1
26 January 2018added warning about potential ORA-20031 during rollback
31 January 2018Changed all RU to 'Update', all RUR to 'Revision'
08 February 2018Changed patch number 23727148 to 23727132 in the 11.2.0.4 section of table "Which Patches are Applicable to which Homes ?"
04 May 2018updated "October 2014 JDBC patch" to "July 2016 JDBC patch"
07 February 2019Included references to new DOC ID 2217053.1 for OJVM rolling patch mode
16 August 2021Included 21c, where the OJVM patch is included within the Database Release Update (RU) patch

 

No comments:

Post a Comment