Oracle 补丁漏洞

Patch 34386237: DATABASE PATCH SET UPDATE 11.2.0.4.221018 PSU 2022年10月11g Linux DB 补丁

1.1 Patch Information

From CPUJan2016 onwards, the 5th field of the version number will be changed to reflect the release date in the format YYMMDD. See My Oracle Support Document 2061926.1 for more information.

PSU patches are cumulative. That is, the content of all previous PSUs is included in the latest PSU patch.

This PSU includes the fixes listed in Bugs Fixed by This Patch.

To install this PSU, the Oracle home must have the 11.2.0.4.0 Database installed. Subsequent PSU patches can be installed on Oracle Database 11.2.0.4.0 or any PSU with a lower 5th numeral version than the one being installed.

Starting from October 2018 onwards, this patch changes the crypto library to MES 4.1.5. See My Oracle Support Document 2458023.1 Important Usage Notes For Database Using MES415 Crypto Libraries.

This patch is Oracle RAC Rolling Installable.

This patch is Database Vault installable. Review My Oracle Support Document 1195205.1 for details on how to apply this patch to a Database Vault environment.

This patch is Data Guard Standby-First Installable. See My Oracle Support Document 1265700.1 Oracle Patch Assurance – Data Guard Standby-First Patch Apply for details on how to remove risk and reduce downtime when applying this patch.

This patch contains a security fix due to which a SELECT query’s plan MAY change under the following conditions:

  • The SELECT queries a table protected with a Fined Grained Auditing policy
  • And the policy condition is NULL

This patch contains fixes for Security Vulnerability CVE-2022-21596 announced in CPUOct2022.

1.2 Prerequisites

It is highly recommended to take a backup of the Oracle_Home binaries and Central Inventory prior to applying patches. For further information, refer to Note 565017.1.

This section includes the following section:

1.2.1 OPatch Utility

You must use the OPatch utility version 11.2.0.3.36 or later to apply this patch. Oracle recommends that you use the latest released OPatch version for 11.2, which is available for download from My Oracle Support patch 6880880 by selecting the 11.2.0.0.0 release.

For information about OPatch documentation, including any known issues, see My Oracle Support Document 293369.1 Primary Note For OPatch.

1.3 Installation

These instructions are for all Oracle Database installations.

1.3.1 Patch Pre-Installation Instructions

Before you install this patch, perform the following actions to check the environment and to detect and resolve any one-off patch conflicts.

1.3.1.1 Applying Database PSU Along Side the Oracle JavaVM Component 11.2.0.4.x Database PSU Patch

From October 2014 onwards, the Oracle JavaVM Component 11.2.0.4.x Database PSU patch is also available as a separate patch. That separate patch has some additional requirements if it is to be installed in a “Conditional Rolling Install” fashion, as detailed in My Oracle Support Document 2217053.1. For customers wanting to install both patches together during a single downtime window, follow the various Patching Options listed in the My Oracle Support Document 1929745.1 – Oracle Recommended Patches — “Oracle JavaVM Component Database PSU and Update” (OJVM PSU and OJVM Update) Patches.

1.3.1.2 Environments with Grid Infrastructure (GI)

If you are installing the PSU to an environment that has a Grid Infrastructure (GI) home, note the following:

  • Grid Infrastructure PSU 11.2.0.4.221018 Patch 34536853 should be applied to the Grid Infrastructure home and Database home using the readme instructions provided with the patch.

1.3.1.3 Environment Checks

  1. Ensure that the $PATH definition has the following executables: makearld, and nm.The location of these executables depends on your operating system. On many operating systems, they are located in /usr/ccs/bin, in which case you can set your PATH definition as follows:export PATH=$PATH:/usr/ccs/bin

1.3.1.4 One-off Patch Conflict Detection and Resolution

For an introduction to the PSU one-off patch concepts, see “Patch Set Updates Patch Conflict Resolution” in My Oracle Support Document 854428.1 Patch Set Updates for Oracle Products.

The fastest and easiest way to determine whether you have one-off patches in the Oracle home that conflict with the PSU, and to get the necessary conflict resolution patches, is to use the Patch Recommendations and Patch Plans features on the Patches & Updates tab in My Oracle Support. These features work in conjunction with the My Oracle Support Configuration Manager. Recorded training sessions on these features can be found in Document 603505.2.

However, if you are not using My Oracle Support Patch Plans, the My Oracle Support Conflict Checker tool enables you to upload an OPatch inventory and check the patches that you want to apply to your environment for conflicts.

If no conflicts are found, you can download the patches. If conflicts are found, the tool finds an existing resolution to download. If no resolution is found, it will automatically request a resolution, which you can monitor in the Plans and Patch Requests region of the Patches & Updates tab.

For more information, see Knowledge Document 1091294.1How to Use the My Oracle Support Conflict Checker Tool for Patches Installed with OPatch [Video].

Or, use the following steps to manually discover conflicts and resolutions:

  1. Determine whether any currently installed one-off patches conflict with the PSU patch as follows:unzip p34386237_112040_<platform>.zip cd 34386237 opatch prereq CheckConflictAgainstOHWithDetail -ph ./
  2. The report will indicate the patches that conflict with PSU 34386237 and the patches for which PSU 34386237 is a superset.Note that Oracle proactively provides PSU one-off patches for common conflicts with this patch.
  3. Use My Oracle Support Document 1321267.1 Database Patch Conflict Resolution to determine, for each conflicting patch, whether a conflict resolution patch is already available, and if you need to request a new conflict resolution patch or if the conflict may be ignored.
  4. When all the one-off patches that you have requested are available at My Oracle Support, proceed with Patch Installation Instructions.

1.3.2 Patch Installation Instructions

Conflicting patches should be rolled back before applying the patch, otherwise opatch apply will report conflicts again.

Follow these steps:

  1. If you are using a Data Guard Physical Standby database, you must install this patch on both the primary database and the physical standby database, as described by My Oracle Support Document 278641.1.
  2. If this is an Oracle RAC environment, install the PSU patch using the OPatch rolling (no downtime) installation method as the PSU patch is rolling Oracle RAC installable. Refer to My Oracle Support Document 244241.1 Rolling Patch – OPatch Support for RAC.
  3. If this is not a Oracle RAC environment, shut down all instances and listeners associated with the Oracle home that you are updating. For more information, see Oracle Database Administrator’s Guide.
  4. Rollback any patches found during the One-off Patch Conflict Detection.
  5. Set your current directory to the directory where the patch is located and then run the OPatch utility by entering the following commands:unzip p34386237_112040_<platform>.zip cd 34386237 opatch apply
  6. Install all resolutions to conflicts found during the One-off Patch Conflict Detection.
  7. If there are errors, refer to Known Issues.

1.3.3 Patch Post-Installation Instructions

After installing the patch, perform the following actions:

  1. Apply conflict resolution patches as explained in Applying Conflict Resolution Patches.
  2. Load modified SQL files into the database, as explained in Loading Modified SQL Files into the Database.

1.3.3.1 Applying Conflict Resolution Patches

Apply the patch conflict resolution one-off patches that were determined to be needed when you performed the steps in One-off Patch Conflict Detection and Resolution.

1.3.3.2 Loading Modified SQL Files into the Database

The following steps load modified SQL files into the database. For an Oracle RAC environment, perform these steps on only one node.

  1. For each database instance running on the Oracle home being patched, connect to the database using SQL*Plus. Connect as SYSDBA, make sure invalid objects are set to zero, if the invalid objects are non-zero, use utlrp.sql. Then run the catbundle.sql script as follows:cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> STARTUP SQL> @catbundle.sql psu apply SQL> QUIT The catbundle.sql execution is reflected in the dba_registry_history view by a row associated with bundle series PSU.For information about the catbundle.sql script, see My Oracle Support Document 605795.1 Introduction To Oracle Database catbundle.sql.
  2. If the OJVM PSU was applied for a previous PSU patch, you may see invalid Java classes after execution of the catbundle.sql script in the previous step. If this is the case, run utlrp.sql to re-validate these Java classes.cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> @utlrp.sql
  3. Check the following log files in $ORACLE_HOME/cfgtoollogs/catbundle or $ORACLE_BASE/cfgtoollogs/catbundle for any errors:catbundle_PSU_<database SID>_APPLY_<TIMESTAMP>.log catbundle_PSU_<database SID>_GENERATE_<TIMESTAMP>.log where TIMESTAMP is of the form YYYYMMMDD_HH_MM_SS. If there are errors, refer to Known Issues.
  4. This patch now includes the OJVM Mitigation patch (Patch:19721304). If an OJVM PSU is installed or planned to be installed, no further actions are necessary. Otherwise, the workaround of using the OJVM Mitigation patch can be activated. As SYSDBA do the following from the admin directory:SQL > @dbmsjdev.sql SQL > exec dbms_java_dev.disable For more information on the OJVM mitigation patch, see Document 1929745.1 Oracle Recommended Patches — “Oracle JavaVM Component Database PSU and Update” (OJVM PSU and OJVM Update) Patches.

1.3.4 Patch Post-Installation Instructions for Databases Created or Upgraded after Installation of this PSU in the Oracle Home

There are no actions required for databases that have been upgraded or created after installation of this patch.

1.4 Deinstallation

These instructions apply if you need to deinstall the patch.

1.4.1 Patch Deinstallation Instructions for a Non Oracle RAC Environment

Follow these steps:

  1. Verify that an $ORACLE_HOME/rdbms/admin/catbundle_PSU_<database SID>_ROLLBACK.sql file exists for each database associated with this ORACLE_HOME. If this is not the case, you must execute the steps in Loading Modified SQL Files into the Database against the database before deinstalling the PSU.
  2. Shut down all instances and listeners associated with the Oracle home that you are updating. For more information, see Oracle Database Administrator’s Guide.
  3. Run the OPatch utility specifying the rollback argument as follows.opatch rollback -id 34386237
  4. If there are errors, refer to Known Issues.

1.4.2 Patch Post-Deinstallation Instructions for a Non Oracle RAC Environment

Follow these steps:

  1. Start all database instances running from the Oracle home. (For more information, see Oracle Database Administrator’s Guide.)
  2. For each database instance running out of the ORACLE_HOME, connect to the database using SQL*Plus as SYSDBA and run the rollback script as follows:cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> STARTUP SQL> @catbundle_PSU_<database SID>_ROLLBACK.sql SQL> QUIT In an Oracle RAC environment, the name of the rollback script will have the format catbundle_PSU_<database SID PREFIX>_ROLLBACK.sql.
  3. If the OJVM PSU was applied for a previous PSU patch, you may see invalid Java classes after execution of the catbundle.sql script in the previous step. If this is the case, run utlrp.sql to re-validate these Java classes.cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> @utlrp.sql
  4. Check the log file for any errors. The log file is found in $ORACLE_BASE/cfgtoollogs/catbundle and is named catbundle_PSU_<database SID>_ROLLBACK_<TIMESTAMP>.log where TIMESTAMP is of the form YYYYMMMDD_HH_MM_SS. If there are errors, refer to Known Issues.

1.4.3 Patch Deinstallation Instructions for an Oracle RAC Environment

Follow these steps for each node in the cluster, one node at a time:

  1. Shut down the instance on the node.
  2. Run the OPatch utility specifying the rollback argument as follows.opatch rollback -id 34386237 If there are errors, refer to Known Issues.
  3. Start the instance on the node as follows:srvctl start instance –d <db-unique-name> -n <nodename>

1.4.4 Patch Post-Deinstallation Instructions for an Oracle RAC Environment

Follow the instructions listed in Section Patch Post-Deinstallation Instructions for a Non Oracle RAC Environment only on the node for which the steps in Loading Modified SQL Files into the Database were executed during the patch application.

All other instances can be started and accessed as usual while you are executing the deinstallation steps.

1.5 Known Issues

For information about OPatch issues, see My Oracle Support Document 293369.1 Primary Note For OPatch.

For issues documented after the release of this PSU, see My Oracle Support Document 2888727.1 Oracle Database Patch Set Update 11.2.0.4.221018 Known Issues.

Other issues are as follows.
Issue 1

The following ignorable errors may be encountered while running the catbundle.sql script or its rollback script:

ORA-00942: table or view does not exist
ORA-00955: name is already used by an existing object
ORA-01430: column being added already exists in table
ORA-01432: public synonym to be dropped does not exist
ORA-01434: private synonym to be dropped does not exist
ORA-01435: user does not exist
ORA-01917: user or role 'XDB' does not exist
ORA-01920: user name '<user-name>' conflicts with another user or role name
ORA-01921: role name '<role name>' conflicts with another user or role name
ORA-01927: cannot REVOKE privileges you did not grant
ORA-01952: system privileges not granted to 'WKSYS'
ORA-02303: cannot drop or replace a type with type or table dependents
ORA-02443: Cannot drop constraint - nonexistent constraint
ORA-04043: object <object-name> does not exist
ORA-06512: at line <line number>. (That is, if ORA-06512 follows any of preceding errors, it can be safely ignored.)
ORA-14452: attempt to create, alter or drop an index on temporary table already in use
ORA-29809: cannot drop an operator with dependent objects
ORA-29830: operator does not exist
ORA-29832: cannot drop or replace an indextype with dependent indexes
ORA-29844: duplicate operator name specified 
ORA-29931: specified association does not exist

Issue 2

Warnings may be returned during the re-link phase of 34386237 . These warnings may be ignored.

warning: overriding commands for target `nmosudo'
warning: ignoring old commands for target `nmosudo'

See the following document for additional information.

Document 1562458.1 Relinking the DB Control 11.2.0.3 Agent Displays a Warning Message “overriding commands for target ‘nmosudo'”Issue 3

On HP-UX systems, the following ignorable warnings may be encountered during the relinking of the oracle binary:

WARNING:OUI-67215:
OPatch found the word "failed" in the stderr of the make command. Please look at this stderr. You can re-run this make command.
 
cc: warning 487: Possibly incorrect message catalog.
total_lntt_bytes is 0, assuming size of .debug_lntt
Failed to mmap lntt temp file.

Issue 4

On AIX systems, the following ignorable warnings may be encountered during the relinking of the oracle binary:

WARNING:OUI-67215:
OPatch found the word "failed" in the stderr of the make command. Please look at this stderr. You can re-run this make command.

ld: 0711-224 WARNING: Duplicate symbol: <symbol>
ld: 0711-345 WARNING: Duplicate symbol: <symbol>
ld: 0711-773 WARNING: Duplicate symbol: <symbol>
ld: 0711-783 WARNING: Duplicate symbol: <symbol>
ld: 0711-301 WARNING: Duplicate symbol: <symbol>
ld: 0711-415 WARNING: Duplicate symbol: <symbol>
ld: 0711-319 WARNING: Duplicate symbol: <symbol>

Issue 5

On IBM: Linux on System Z, the following ignorable warnings may be encountered during relinking of e2eme binary:

OUI-67215:
OPatch found the word "warning" in the stderr of
the make command.

Please look at this stderr. You can re-run this
make command.
Stderr output:
ins_emagent.mk:113: warning: overriding commands for target `nmosudo'
ins_emagent.mk:52: warning: ignoring old
commands for target `nmosudo'

Issue 6

If Oracle Database Vault is enabled, the following error can occur during the execution of the Post Installation or Deinstallation steps:

initjvmaux.drop_sros();
 
EXECUTE IMMEDIATE 'create or replace java system';
...
ORA-01031: insufficient privileges
ORA-06512: at "SYS.INITJVMAUX", line 535
ORA-06512: at line 3

To recover from this issue, see the following My Oracle Support Document 1935120.1 ORA-01031 during Post Install / De-install for Database PSU or OJVM PSU with Data Vault installedIssue 7

When trying to install the Oracle Database Patch Set Update 11.2.0.4.221018, OPatch reports:

/refresh/home/app/oracle/product/11.2.0/client_1/rdbms/admin/orasdkbase_shrept.lst: No such file or directory
/usr/bin/ld: cannot open linker script file
/refresh/home/app/oracle/product/11.2.0/client_1/rdbms/admin/liborasdkbase.def: No such file or directory
  collect2: ld returned 1 exit status
/refresh/home/app/oracle/product/11.2.0/client_1/bin/genorasdksh: Failed to link liborasdkbase.so.11.1
make: *** [liborasdkbase] Error 1

Cause: BUG 24331924 – MISSING LIBORASDKBASE FROM 11.2.0.4 RUNTIME CLIENT

Solution: Follow these steps:

  1. Apply patch 24331924.
  2. Re-apply the PSU.

Issue 8

Problem: The permission of the library file $ORACLE_HOME/lib/libsqlplus.so may change from 644 to 640, after applying this PSU patch.

You may first notice this issue from the following error encountered from SQL*Plus through non-oracle user:

ld.so.1: sqlplus: fatal: …../lib/libsqlplus.so: Permission denied

This issue is discussed further in My Oracle Support Document 2201729.1. This issue is fixed in a future release Oracle Database 12c release 2 (12.2).

Workaround: For earlier versions, do the following:

Change the permission of the library file $ORACLE_HOME/lib/libsqlplus.so back to 644 to allow the non-oracle users and application users to connect.

Otherwise, apply the patch 22730454 on top of this PSU release.Issue 9

Problem: DB HOME CLONING FUNCTIONALITY may fail in an Oracle RAC environment with LOG4J-CORE.JAR IS MISSING UNDER $ORACLE_HOME/OUI/JLIB/JLIB FOLDER error.

Workaround: Apply the one off patch 34381414 to resolve this issue.Issue 10

Problem: While running clone.pl in an Oracle RAC environment with JDK 6 version, the unsupported major.minor version 52.0 error might be seen.

Workaround: Apply patch 34113546 to update to JDK 7 version to resolve this issue.

1.6 References

The following documents are references for this patch.

Document 293369.1 Primary Note For OPatch

Document 360870.1 Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products

Document 1321267.1 Database Patch Conflict Resolution

Document 34386237.8 Database 11.2.0.4.221018 Patch Set Update (PSU)

Document 1611785.1 11.2.0.4 Patch Set Updates – List of Fixes in each PSU

Document 1561792.2 Troubleshooting Assistant: Patching Oracle Database/Client

1.7 Bugs Fixed by this Patch

See My Oracle Support Document 1611785.1 that documents all the non-security bugs fixed in each 11.2.0.4 Patch Set Update (PSU).

1.8 Documentation Accessibility

For information about Oracle’s commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id-docacc.


数据运维技术 » Patch 34386237: DATABASE PATCH SET UPDATE 11.2.0.4.221018 PSU 2022年10月11g Linux DB 补丁
分享到:

相关推荐