Patch 34536853: GRID INFRASTRUCTURE PATCH SET UPDATE 11.2.0.4.221018 11g Linux 2022年10月最新补丁

From CPUJan2016 onwards, the 5th field of the version number will be changed to reflect the release date in the format YYMMDD. See My Oracle Support Document 2061926.1 for more information.

In this document Oracle database home refers to Enterprise Edition or Standard Edition database software. GI refers to Grid Infrastructure and PSU refers to Patch Set Update.

The GI PSU patch includes updates for both the Clusterware home and database home that can be applied in a rolling fashion.

Starting from October 2018 onwards, this patch changes the crypto library to MES 4.1.5. See My Oracle Support Document 2458023.1 Important Usage Notes For database Using MES415 Crypto Libraries.

This patch is Database Vault installable. Review My Oracle Support Document 1195205.1 for details on how to apply this patch to a Database Vault environment.

This patch is Data Guard Standby First Installable – See My Oracle Support Document 1265700.1 Oracle Patch Assurance – Data Guard Standby-First Patch Apply for details on how to remove risk and reduce downtime when applying this patch.

This patch contains fixes for Security Vulnerability CVE-2022-21596 announced in CPUOct2022.

This document is accurate at the time of release. For any changes and additional information regarding this GI PSU, see these related documents that are available at My Oracle Support (http://support.oracle.com/):

  • Document 854428.1 Patch Set Updates for Oracle Products
  • Document 2888730.1 Oracle Grid Infrastructure Patch Set Update 11.2.0.4.221018 Known Issues

This document includes the following sections:

1.1 Patch Information

GI PSUs are cumulative and include the database PSU and associated CPU program security content. GI PSUs also include other subpatches such as Oracle Clusterware (OCW) and Oracle Automatic Storage Management Cluster File System (Oracle ACFS). The Oracle ACFS subpatch contains Oracle Automatic Storage Management Dynamic Volume Manager (Oracle ADVM) and Oracle Kernel Services (OKS) drivers.

Table 1-1 lists the various configurations and the applicable PSU that should be used to patch that configuration.

1.2 Patch Installation and Deinstallation

This section includes the following sections:

1.2.1 Patch Installation Prerequisites

It is highly recommended to take a backup of the Oracle_Home binaries, the Grid_Home binaries, and Central Inventory prior to applying patches. For further information, refer to Note 565017.1.

You must satisfy the conditions in the following sections before applying the patch:

1.2.1.1 OPatch Utility Information

You must use the OPatch utility version 11.2.0.3.36 or later to apply this patch. Oracle recommends that you use the latest released OPatch version for 11.2 releases, which is available for download from My Oracle Support patch 6880880 by selecting ARU link for the 11.2.0.0.0 release. It is recommended that you download the Opatch utility and the patch in a shared location to be able to access them from any node in the cluster for the patch application on each node.

When patching the GI home, a shared location on Oracle ACFS only needs to be unmounted on the node where the GI home is being patched.

The new OPatch utility should be updated in all the Oracle RAC database homes and the GI home that are being patched.

For each Oracle RAC database home and the GI home that are being patched, as the home owner, extract the OPatch utility.

For exact instructions to install Opatch follow the Opatch readme.

For information about OPatch documentation, including any known issues, see My Oracle Support Document 293369.1 Primary Note for OPatch.

1.2.1.2 Validation of Oracle Inventory

Before beginning patch application, check the consistency of inventory information for GI home and each database home to be patched. Run the following command as respective Oracle home owner to check the consistency.

$ <ORACLE_HOME>/OPatch/opatch lsinventory -detail -oh <ORACLE_HOME>

If this command succeeds, it lists the Oracle components that are installed in the home. Save the output so you have the status prior to the patch apply.

If this command fails, contact Oracle Support Services for assistance.

1.2.1.3 Download and Unzip the Patch

To apply the patch, it must be accessible from all nodes in the Oracle cluster. Download the patch and unzip it to a shared location, this is called the <UNZIPPED_PATCH_LOCATION>. This directory must be empty and not be /tmp. Additionally, the directory should have read permission for the ORA_INSTALL group.

$ cd <UNZIPPED_PATCH_LOCATION>

Check that the directory is empty.

$ ls

Unzip the patch as grid home owner.

$ unzip p34536853_112040_<platform>.zip

1.2.1.4 Stop EM Agent Processes Prior to Patching and Prior to Rolling Back the Patch

You must stop the EM agent processes running from the database home, prior to patching the Oracle RAC database or GI home and prior to rolling back the patch from Oracle RAC database or GI home. Execute the following command on the node to be patched or the node where the patch is to be rolled back.

As the Oracle RAC database home owner execute:

$ <ORACLE_HOME>/bin/emctl stop dbconsole

1.2.2 One-off Patch Conflict Detection and Resolution

See My Oracle Support Document 1061295.1 Patch Set Updates – One-off Patch Conflict Resolution to determine, for each conflicting patch, whether a conflict resolution patch is already available, and if you need to request a new conflict resolution patch or if the conflict may be ignored.

The fastest and easiest way to determine whether you have one-off patches in the Oracle home that conflict with the patch, and to get the necessary conflict resolution patches, is to use the Patch Recommendations and Patch Plans features on the Patches & Updates tab in My Oracle Support. These features work in conjunction with the My Oracle Support Configuration Manager. Recorded training sessions on these features can be found in Document 603505.2.

However, if you are not using My Oracle Support Patch Plans, the My Oracle Support Conflict Checker tool enables you to upload an OPatch inventory and check the patches that you want to apply to your environment for conflicts.

If no conflicts are found, you can download the patches. If conflicts are found, the tool finds an existing resolution to download. If no resolution is found, it will automatically request a resolution, which you can monitor in the Plans and Patch Requests region of the Patches & Updates tab.

For more information, see Knowledge Document 1091294.1How to Use the My Oracle Support Conflict Checker Tool for Patches Installed with OPatch [Video].

Note:

When performing the conflict analysis on the database Oracle home inventory, use the database PSU patch instead of the Grid Infrastructure PSU patch.

1.2.3 OPatch auto for GI

The Opatch utility has automated the patch application for the Oracle Grid Infrastructure (GI) home and the Oracle RAC database homes when run with root privileges. It must be executed on each node in the cluster if the GI home or Oracle RAC database home is in non-shared storage. The utility should not be run in parallel on the cluster nodes.

For more information about opatch auto, see My Oracle Support Document 1339140.1 FAQ: OPatch/Patch Questions/Issues for Oracle Clusterware (Grid Infrastructure or CRS) and RAC Environments.

For detailed patch installation instructions, see Patch Installation.

1.2.4 Patch Installation

The patch instructions will differ based on the configuration of the Grid infrastructure and the Oracle RAC database homes. Patching instructions for Oracle RAC database homes and GI together are listed below.

The most common configurations are listed as follows:

  • Case 1: GI home and the database homes that are not shared and Oracle ACFS file system is not configured
  • Case 2: GI home is not shared, database home is shared, Oracle ACFS may be used

For other configurations listed below, see My Oracle Support Document 1641136.1:

  • GI home is not shared, the database home is not shared, Oracle ACFS may be used.
  • Patching Oracle RAC database homes.
  • Patching GI home alone.
  • Patching Oracle Restart home.
  • Patching a software only GI home installation or before the GI home is configured.

Patching Oracle RAC database homes and GI Together

  • Case 1: GI home and the database homes that are not shared and Oracle ACFS file system is not configured.As root user, execute the following command on each node of the cluster:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853
  • Case 2: GI home is not shared, database home is shared, Oracle ACFS may be used.Patching instructions:
    1. From the Oracle database home, make sure to stop the Oracle RAC databases running on all nodes. As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl stop database –d <db-unique-name>
    2. On the 1st node, unmount the Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for unmounting Oracle ACFS file systems.
    3. On the 1st node, apply the patch to the GI home using the opatch auto command. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853
    4. If the message, “A system reboot is recommended before using ACFS” is shown, then a reboot must be issued before continuing. Failure to do so will result in running with an unpatched ACFS\ADVM\OKS driver.
    5. On the 1st node, remount Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for mounting Oracle ACFS file systems.
    6. On the 1st node, apply the patch to the database home using the opatch auto command. Since the database home is shared, this operation will patch the database home across the cluster. Note that a USM only patch cannot be applied to a database home. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -oh <DATABASE_HOME>
    7. On the 1st node only, restart the Oracle instance, which you have previously stopped in Step 1As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl start instance –d <db-unique-name> -n <nodename>
    8. On the 2nd (next) node, unmount the Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for unmounting Oracle ACFS file systems.
    9. On the 2nd node, apply the patch to GI home using the opatch auto command. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -oh <GI_HOME>
    10. If the message, “A system reboot is recommended before using ACFS” is shown, then a reboot must be issued before continuing. Failure to do so will result in running with an unpatched ACFS\ADVM\OKS driver.
    11. On the 2nd node, running the opatch auto command in Step 9 will restart the stack.
    12. On the 2nd node, remount Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for mounting Oracle ACFS file systems.
    13. On the 2nd node only, restart the Oracle instance, which you have previously stopped in Step 1As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl start instance –d <db-unique-name> -n <nodename>
    14. Repeat Steps 8 through 13 for all remaining nodes of the cluster.

1.2.5 Patch Post-Installation Instructions

After installing the patch, perform the following actions:

  1. Apply conflict resolution patches as explained in Applying Conflict Resolution Patches.
  2. If applying a PSU, load modified SQL files into the database, as explained in Loading Modified SQL Files into the Database.
  3. Upgrade Oracle Recovery Manager catalog, as explained in Upgrade Oracle Recovery Manager Catalog.

This patch includes new stub modules for database applications. As a consequence you must relink all database applications. This applies to Pro*COBOL, Pro*C and OCI database applications. This is valid for standalone database applications and for openUTM database applications.

1.2.5.1 Applying Conflict Resolution Patches

Apply the patch conflict resolution one-off patches that were determined to be needed when you performed the steps in One-off Patch Conflict Detection and Resolution.

1.2.5.2 Loading Modified SQL Files into the Database

The following steps load modified SQL files into the database. For an Oracle RAC environment, perform these steps on only one node.

  1. For each database instance running on the Oracle home being patched, connect to the database using SQL*Plus. Connect as SYSDBA and run the catbundle.sql script as follows:cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> STARTUP SQL> @catbundle.sql psu apply SQL> QUIT The catbundle.sql execution is reflected in the dba_registry_history view by a row associated with bundle series PSU.For information about the catbundle.sql script, see My Oracle Support Document 605795.1 Introduction to Oracle Database catbundle.sql.
  2. If the OJVM PSU was applied for a previous GI PSU patch, you may see invalid Java classes after execution of the catbundle.sql script in the previous step. If this is the case, run utlrp.sql to re-validate these Java classes.cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> @utlrp.sql
  3. Check the following log files in $ORACLE_BASE/cfgtoollogs/catbundle for any errors:catbundle_PSU_<database SID>_APPLY_<TIMESTAMP>.log catbundle_PSU_<database SID>_GENERATE_<TIMESTAMP>.log where TIMESTAMP is of the form YYYYMMMDD_HH_MM_SS. If there are errors, see Known Issues.
  4. This patch now includes the OJVM Mitigation patch (Patch:19721304). If an OJVM PSU is installed or planned to be installed, no further actions are necessary. Otherwise, the workaround of using the OJVM Mitigation patch can be activated. As SYSDBA do the following from the admin directory:SQL > @dbmsjdev.sql SQL > exec dbms_java_dev.disable For more information on the OJVM mitigation patch, see Document 1929745.1 Oracle Recommended Patches — “Oracle JavaVM Component Database PSU and Update” (OJVM PSU and OJVM Update) Patches.

1.2.5.3 Upgrade Oracle Recovery Manager Catalog

If you are using the Oracle Recovery Manager, the catalog needs to be upgraded. Enter the following command to upgrade it:

$ rman catalog username/password@alias
RMAN> UPGRADE CATALOG;

1.2.6 Patch Post-Installation Instructions for Databases Created or Upgraded after Installation of Patch in the Oracle Home

These instructions are for a database that is created or upgraded after the installation of the patch.

You must execute the steps in Loading Modified SQL Files into the Database for any new database only if it was created by any of the following methods:

  • Using DBCA (Database Configuration Assistant) to select a sample database (General, Data Warehouse, Transaction Processing)
  • Using a script that was created by DBCA that creates a database from a sample database

There are no actions required for databases that have been upgraded.

1.2.7 Patch Deinstallation

The patch rollback instructions will differ based on the configuration of the Grid infrastructure and the Oracle RAC database homes. Roll Back instructions for Oracle RAC database homes and GI are listed below.

The most common configurations are listed as follows:

  • Case 1: GI home and database homes that are not shared and Oracle ACFS file system is not configured
  • Case 2: GI home is not shared, database home is shared and Oracle ACFS may be used

For other configurations listed below, see My Oracle Support Document 1641136.1:

  • GI home is not shared, the database home is not shared, Oracle ACFS may be used.
  • Rolling back from Oracle RAC database homes.
  • Rolling back from GI home alone.
  • Rolling back the patch from Oracle Restart home.
  • Rolling back the patch from a software only GI home installation or before the GI home is configured.

Roll Back the Oracle RAC Database Homes and GI Together

  • Case 1: GI home and database homes that are not shared and Oracle ACFS file system is not configured.As root user, execute the following command on each node of the cluster.# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -rollback If the message, “A system reboot is recommended before using ACFS” is shown, then a reboot must be issued before continuing. Failure to do so will result in running with an unpatched ACFS\ADVM\OKS driver.
  • Case 2: GI home is not shared, database home is shared and Oracle ACFS may be used.
    1. From the Oracle database home, make sure to stop the Oracle RAC databases running on all nodes. As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl stop database –d <db-unique-name>
    2. On the 1st node, unmount the Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for unmounting Oracle ACFS file systems.
    3. On the 1st node, roll back the patch from the GI home using the opatch auto command. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -oh <GI_HOME> -rollback
    4. If the message, “A system reboot is recommended before using ACFS” is shown, then a reboot must be issued before continuing. Failure to do so will result in running with an unpatched ACFS\ADVM\OKS driver.
    5. On the 1st node, remount Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for mounting Oracle ACFS file systems.
    6. On the 1st node, roll back the patch to the database home using the opatch auto command. This operation will rollback the patch to the database home across the cluster given that it is a shared Oracle ACFS home. Note that a USM only patch cannot be applied to a database home. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -oh <DATABASE_HOME> -rollback
    7. On the 1st node only, restart the Oracle instance, which you have previously stopped in Step 1As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl start instance –d <db-unique-name> -n <nodename>
    8. On the 2nd (next) node, unmount the Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for unmounting Oracle ACFS file systems.
    9. On the 2nd node, roll back the patch to GI home using the opatch auto command. As root user, execute the following command:# opatch auto <UNZIPPED_PATCH_LOCATION>/34536853 -oh <GI_HOME> -rollback
    10. If the message, “A system reboot is recommended before using ACFS” is shown, then a reboot must be issued before continuing. Failure to do so will result in running with an unpatched ACFS\ADVM\OKS driver.
    11. On the 2nd node, running the opatch auto command in Step 9 will restart the stack.
    12. On the 2nd node, remount Oracle ACFS file systems. See My Oracle Support Document 1494652.1 for mounting Oracle ACFS file systems.
    13. On the 2nd node only, restart the Oracle instance, which you have previously stopped in Step 1As the database home owner execute:$ <ORACLE_HOME>/bin/srvctl start instance –d <db-unique-name> -n <nodename>
    14. Repeat Steps 8 through 13 for all remaining nodes of the cluster.

1.2.8 Patch Post-Deinstallation Instructions for an Oracle RAC Environment

Follow these steps only on the node for which the steps in Loading Modified SQL Files into the Database were executed during the patch application.:

  1. Start all database instances running from the Oracle home. (For more information, see Oracle Database Administrator’s Guide.)
  2. For each database instance running out of the ORACLE_HOME, connect to the database using SQL*Plus as SYSDBA and run the rollback script as follows:cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> STARTUP SQL> @catbundle_PSU_<database SID PREFIX>_ROLLBACK.sql SQL> QUIT In an Oracle RAC environment, the name of the rollback script will have the format catbundle_PSU_<database SID PREFIX>_ROLLBACK.sql.
  3. If the OJVM PSU was applied for a previous GI PSU patch, you may see invalid Java classes after execution of the catbundle.sql script in the previous step. If this is the case, run utlrp.sql to re-validate these Java classes.cd $ORACLE_HOME/rdbms/admin sqlplus /nolog SQL> CONNECT / AS SYSDBA SQL> @utlrp.sql
  4. Check the log file for any errors. The log file is found in $ORACLE_BASE/cfgtoollogs/catbundle and is named catbundle_PSU_<database SID>_ROLLBACK_<TIMESTAMP>.log where TIMESTAMP is of the form YYYYMMMDD_HH_MM_SS. If there are errors, see Known Issues.
  5. Ensure that you verify the Oracle Inventory and compare the output with the one you ran in Validation of Oracle Inventory and re-apply any patches that were rolled back as part of this patch apply. To verify the inventory, run the following command:$ opatch lsinventory

All other instances can be started and accessed as usual while you are executing the deinstallation steps.

1.3 Known Issues

For issues documented after the release of this PSU, see My Oracle Support Document 2888730.1 Oracle Grid Infrastructure Patch Set Update 11.2.0.4.221018 Known Issues.

This section includes the following issues:
Issue 1

When Trace File Analyzer (TFA) is patched as part of a PSU, any rollback of the PSU will not roll back any patch applied to TFA. This is intended behavior, but if there are any issues with patching TFA itself, then manual steps will be required to recover.

If a PSU has been rolled back and due to some issue with patching TFA it has to be reinstalled, then you should:

  1. Remove TFA by executing the following command on each node as the root user:GIHOME/tfa/<nodename>/tfa_home/bin/uninstalltfa.sh -local
  2. Reinstall the previous TFA version by executing the following command on each node as the root user:GIHOME/crs/install/tfa_setup.sh -crshome <path to GIHOME> -silent

If a PSU is installed but not rolled back and there are issues with TFA, then contact Oracle Support to help resolve the TFA issues.Issue 2

After rolling back using opatch auto from the Oracle Grid infrastructure Patch Set Update 11.2.0.4.4, database and listener resources are going to be offline.

You should start the database and listener resources using the srvctl command.

When performing any further patching actions, databases and listeners may not be started up automatically for the home being patched on a node. Start up these explicitly by executing srvctl start database and srvctl start listener commands.Issue 3

When 11.2.0.4.160719 GIPSU is applied on top of 11.2.0.4.160419 GIPSU on platform Linux x86 32-bit, it results in a conflict error.

To workaround this issue, roll back 11.2.0.4.160419 GIPSU if it has been previously applied, and then apply 11.2.0.4.160719 GIPSU.

1.4 References

The following documents are references for this patch.

Document 1494646.1 Readme – Patch Installation and Deinstallation For 11.2.0.3.x GI PSU

Document 1494652.1 How to Mount or Unmount ACFS File System While Apply GI Patches?

Document 854428.1 Patch Set Updates for Oracle Products

Document 360870.1 Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products

Document 468959.1 Enterprise Manager Grid Control 10.1 and 10.2 Known Issues

Document 1339140.1 FAQ: OPatch/Patch Questions/Issues for Oracle Clusterware (Grid Infrastructure or CRS) and RAC Environments

Document 2888730.1 Oracle Grid Infrastructure Patch Set Update 11.2.0.4.221018 Known Issues

1.5 Manual Steps for Apply/Rollback Patch

See My Oracle Support Document 1641136.1 for cases where opatch auto cannot be used.


数据运维技术 » Patch 34536853: GRID INFRASTRUCTURE PATCH SET UPDATE 11.2.0.4.221018 11g Linux 2022年10月最新补丁