There is a requirement to apply Oct 2014 PSU onto 220.127.116.11 ORACLE_HOME.
From Oct 2014 onwards, Oracle JavaVM Component Database PSU is released as part of the Critical Patch Update program.
It consists of two separate patches:
- One for JDBC clients – applicable to Client, Instant Client, Database and Grid ORACLE_HOMES. This is referred to as “JDBC Patch” .
- One for Oracle JavaVM component within the Oracle Database – applicable to database ORACLE_HOMEs only. This is referred to as “OJVM PSU” .
The table below shows which Oracle JavaVM Component patches are required in the various ORACLE_HOMEs.
|Version||Type of Home||October 2014||January 2015|
|18.104.22.168||Database Home||OJVM PSU (Oct 2014)(or Mitigation Patch)||OJVM PSU (Jan 2015)(or Mitigation Patch)|
|Client / Instant Client Home||None||None|
|Database Home||OJVM PSU (Oct 2014)
and JDBC Patch (Oct 2014)(or Mitigation Patch and JDBC Patch)
|OJVM PSU (Jan 2015) [includes JDBC fixes](or Mitigation Patch and JDBC Patch)|
|Grid Home||JDBC Patch (Oct 2014)||JDBC Patch (Oct 2014)|
|Client / Instant Client Home||JDBC Patch (Oct 2014)||JDBC Patch (Oct 2014)|
|Other Versions||Database Home||Mitigation Patch||Mitigation Patch|
- packaged separately from the Database PSU (or equivalent) as they cannot be installed in a RAC Rolling manner, nor in Standby First manner.
- Oracle has also released “Combo” patches that bundle the OJVM PSU in the same ZIP file as DB PSU and/or GI PSU for ease of download. The OJVM component in these “Combo” patches is in a separate subdirectory with its own install steps still required. October 2014 “Combo” patches do not include the JDBC Patch.
- are applicable to all database installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)
- require the database home to be patched to at least October 2014 DB PSU (or equivalent)
- include binary changes to be applied to each Database ORACLE_HOME, and “post install” steps to be execute on each database running from the ORACLE_HOME
- from January 2015 onwards: include the JDBC fixes
- For situations where the latest OJVM PSU cannot be installed immediately there is a “Mitigation Patch” that can be used.
For situations where the latest OJVM PSU cannot be installed immediately there is a “Mitigation Patch” that can be used. The “Mitigation Patch” is an interim solution to protect against all currently known (Jan 2015) Oracle JavaVM security vulnerabilities in the database until such time as the OJVM PSU can be installed. It can also be used to protect database versions no longer covered by error correction support.
- is applicable only to database homes, not client nor Grid homes
- is only applicable to databases that have JavaVM installed
- has no dependency on the DB PSU (or equivalent) level
- can be installed in a RAC Rolling manner
- is a SQL only patch that needs to be installed and activated in each database, hence it can be installed standby first but it requires SQL steps to be executed to be effective, which cannot be done on a read only standby
- affects use of Java and Java development in the database
has been reviewed for January 2015 and provides mitigation against all currently known OJVM vulnerabilities
- can be downloaded here: Patch:19721304
Applying the Mitigation Patch
2. Execute the patch post install steps against all databases running from each ORACLE_HOME. See the README supplied with the patch for post install steps relevant to the database version.
3. Check the patch logs for any errors and correct as required
4. Run the following step as a SYSDBA user to DISABLE Java development in the database:
Temporarily Enabling Creation/Update of Stored Java Objects
If you need to allow the creation/update of stored Java objects, including application of patches that affect stored Java or the Oracle JavaVM:
Connect to the database as a SYSDBA user
SQL> exec dbms_java_dev.enable;
Perform the steps required to create or replace Java objects, apply Java related patches.
SQL> exec dbms_java_dev.disable;
Be sure to end the steps with the call to “dbms_java_dev.disable” in order to protect the database.
Applying an “Oracle JavaVM Component Database PSU” Patch with the Mitigation Patch Already Installed
You must “enable” Java development prior to installing the OJVM PSU patch.
Disconnect users and prevent user access to the databases running from the ORACLE_HOME to be patched
“exec dbms_java_dev.enable;” in each database
Shutdown the databases
Follow the full steps to apply the OJVM PSU patch, including running post install steps against each database
You do not need to “disable” Java development after patching with the latest OJVM PSU patch, unless you wish to do so.
- JDBC patch is separately from the OJVM PSU and Database PSU (or equivalent) for ease of deployment to client environments
- are applicable to Client, Instant Client and Grid ORACLE_HOMES The JDBC fixes are also applicable to the Database home regardless of whether Oracle JavaVM is used in a database or not:
For October 2014 the JDBC Patch should also be installed in the Database home
For January 2015 the OJVM PSU includes the JDBC fixes and so the JDBC patch does not need to be installed in the Database home unless OJVM PSU is not being installed
- are applicable to all installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)
- have no dependency on OJVM PSU nor Database PSU (or equivalent) patch level
- can be installed in database server homes in a RAC Rolling manner
- do not require the database and listeners to be shutdown for patching in non-RAC environments
- do not require any post install steps be executed against individual databases
The Oct 2014 PSU patches include:
1) Patch 19121551 — Database Patch Set Update 22.214.171.124.4( Includes CPUOCT2014)
2) Patch 19282021 – Oracle JavaVM Component 126.96.36.199.1 Database PSU (Oct2014)
3) Patch 19852360: ORACLE JAVAVM COMPONENT 188.8.131.52.1 DATABASE PSU – GENERIC JDBC PATCH (OCT2014)
- Shutdown databases and services on all nodes
- Apply DB PSU Patch 19121551, but do NOT run DB PSU post install steps
- Apply OJVM PSU Patch 19282021
- October 2014 only for DB versions below 184.108.40.206: Apply the JDBC Patch 19852360
- Run post install steps on all DBs in the patched home:
- For 220.127.116.11 and 18.104.22.168 run the OJVM PSU post install steps followed by the DB PSU post install steps.
- For 22.214.171.124 run the OJVM PSU post install steps, then shutdown/restart the database before following the DB PSU (or equivalent) post install steps. [see note-4 below]
- Re-start any stopped databases / services running from this ORACLE_HOME
Oracle Recommended Patches — “Oracle JavaVM Component Database PSU” (OJVM PSU) Patches (Doc ID 1929745.1)