What are OJVM DB PSU and decision to apply OJVM DB PSU security patches

Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU" (OJVM PSU) Patches (Doc ID 1929745.1)

What is "Oracle JavaVM Component Database PSU" ?

Oracle JavaVM Component Database PSU is released as part of the Critical Patch Update program from October 2014 onwards.
It consists of two separate patches:

• One for JDBC clients - applicable to Client, Instant Client, Database and Grid ORACLE_HOMES.
  This is referred to as "JDBC Patch" in the rest of this document.
• One for the Oracle JavaVM component within the Oracle Database - applicable to database ORACLE_HOMEs only.
  This is referred to as "OJVM PSU" in the rest of this document.
  As of January 2015 the "OJVM PSU" patches include all fixes from the "JDBC Patch".

For situations where the latest OJVM PSU cannot be installed immediately there is a "Mitigation Patch" that can be used.




OJVM DB PSY          JDBC Patch          Mitigation Patch

OJVM PSU

OJVM PSU patches:

• include critical fixes for the Oracle JavaVM component within the Oracle Database
• are packaged separately from the Database PSU (or equivalent) as they cannot be installed in a RAC Rolling manner, nor in Standby First manner.
  Keeping them separate allows customers to choose the most appropriate patching approach for each system
  • Oracle has also released "Combo" patches that bundle the OJVM PSU in the same ZIP file as DB PSU and/or GI PSU for ease of download. The OJVM component in these "Combo" patches is in a separate subdirectory with its own install steps still required. October 2014 "Combo" patches do not include the JDBC Patch.
• are applicable to all database installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)
• require the database home to be patched to at least October 2014 DB PSU (or equivalent)
• include binary changes to be applied to each Database ORACLE_HOME, and "post install" steps to be execute on each database running from the ORACLE_HOME
• from January 2015 onwards: include the JDBC fixes

For situations where the latest OJVM PSU cannot be installed immediately there is a "Mitigation Patch" that can be used as describe below.

What is the "Mitigation Patch" ?

For situations where the latest OJVM PSU cannot be installed immediately there is a "Mitigation Patch" that can be used. The "Mitigation Patch" is an interim solution to protect against all currently known (Jul 2015) Oracle JavaVM security vulnerabilities in the database until such time as the OJVM PSU can be installed. It can also be used to protect database versions no longer covered by error correction support.
The "Mitigation Patch":

• is applicable only to database homes, not client nor Grid homes
• is only applicable to databases that have JavaVM installed
• has no dependency on the DB PSU (or equivalent) level
• can be installed in a RAC Rolling manner
• is a SQL only patch that needs to be installed and activated in each database
  • hence it can be installed standby first but it requires SQL steps to be executed to be effective, which cannot be done on a read only standby
• affects use of Java and Java development in the database
• has been reviewed for January 2015, April 2015, July 2015, October 2015 and January 2016 and provides mitigation against all currently known OJVM vulnerabilities
• can be downloaded here: Patch:19721304

Read the "Using the Mitigation Patch" section later in this document to understand the impact of this patch.

JDBC Patch

The JDBC patches:

• include security fixes for JDBC
  (Oct 2014 patches include fixes for CVE-2014-4289 and CVE-2014-6544 only)
• are available packaged separately from the OJVM PSU and Database PSU (or equivalent) for ease of deployment to client environments
• are applicable to Client, Instant Client and Grid ORACLE_HOMES The JDBC fixes are also applicable to the Database home regardless of whether Oracle JavaVM is used in a database or not:
  • For October 2014 the JDBC Patch should also be installed in the Database home
  • For January 2015 the OJVM PSU includes the JDBC fixes and so the JDBC patch does not need to be installed in the Database home unless OJVM PSU is not being installed yet
• are applicable to all installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)
• have no dependency on OJVM PSU nor Database PSU (or equivalent) patch level
• can be installed in database server homes in a RAC Rolling manner
• do not require the database and listeners to be shutdown for patching in non-RAC environments
• do not require any post install steps be executed against individual databases

Latest JDBC patch availability information can be found in Document:756671.1 "Oracle Recommended Patches -- Oracle Database".

What Should I Do ?

Grid ORACLE_HOMEs

Grid homes should be patched with latest GI PSU (or equivalent) and the October 2014 JDBC patch.
OJVM PSU is not needed in the Grid home, only in the database home.

Database ORACLE_HOMEs

Oracle recommends applying the latest OJVM PSU patch to ALL databases that have Oracle JavaVM present in the database, regardless of whether you are explicitly using it or not. Even if Oracle JavaVM is not present in the database it is best practice to install the OJVM PSU in case a new database is created in the ORACLE_HOME.
Run the following select in each database to check if it has Oracle JavaVM present (most databases will have JavaVM):

SELECT version, status FROM dba_registry WHERE comp_id='JAVAVM';

• If "STATUS" is "VALID" then it is recommended to install OJVM PSU for this database.
• If no rows are returned OR "STATUS" is "REMOVED" then Oracle JavaVM is not present in the database. Although this database does not have JavaVM present it is still considered best practice to install OJVM PSU to protect any database subsequently created in the ORACLE_HOME. Make a note of databases with no JavaVM present as: (a) you do not need to run OJVM PSU post install steps on this database and (b) DB PSU post install steps may report PLS-201 errors which can be ignored.
• If "STATUS" is any other value there may be issues with the JavaVM install in the database. It is recommended to correct any issues with the JavaVM and then install OJVM PSU.
  

There are three main patching approaches to protect databases that have Oracle JavaVM present:

(If you do not want to apply DB PSU (or equivalent) at this time you can use option 3)

1. If you can schedule an immediate outage:
   • Install the latest OJVM PSU patch at the same time as the Database PSU (or equivalent).
   • For October 2014 only: install the JDBC Patch at the same time as OJVM PSU and DB PSU
2. If you cannot schedule an immediate outage and are running an Exadata or RAC database:
   • Install the Database PSU (or equivalent), the JDBC Patch and the "Mitigation Patch" - these can be applied in a RAC rolling manner.
   • At some future time, when you can schedule an outage, install the latest OJVM PSU patch.
   • You might also use this approach to minimize the full outage duration as it is only OJVM PSU that requires a full outage.
3. For other scenarios, such as using a database version that has no OJVM PSU available, or if you do not wish to install the latest Database PSU (or equivalent) at this time:
• Install and activate the "Mitigation Patch" - this has no pre-requisites and patching can typically be performed with the database open.
• At some future time take actions to get the system to the latest recommended patch levels.

Questions and Answers

• Why should I install the patch if I do not use Oracle JavaVM ?
  • Databases include the Oracle JavaVM by default and so may be exposed to security vulnerabilities that are addressed by the latest patch.
• Can I just uninstall Oracle JavaVM instead ?
  • The Oracle JavaVM is used by several database options and features and so should not be removed.
    For example, Oracle JavaVM is used by XDK, CDC, Spatial, InterMedia etc..
• Do I need to take any action if my database was created in a non-standard manner and does not have Oracle JavaVM installed ?
  • If the database has been created without JavaVM then OJVM PSU is not applicable to that database. However, be aware that if a new database is created with JavaVM in an unpatched ORACLE_HOME that new database will not be protected. The preferred option is to install OJVM PSU but omit the OJVM PSU post install steps for the specific database/s that do not have JavaVM. If you do run the OJVM PSU post install steps PLS-201 errors will be reported - these errors can be safely ignored.
• Can I use any OJVM PSU patch with any DB PSU patch ?
  
  • The database must be patched to at least October 2014 DB PSU (or equivalent SPU or Database Patch for Exadata) before an OJVM PSU patch can be applied.
  • On Windows platforms OJVM PSU patches have additional dependencies - see OJVM PSU information in Document:161549.1
• Which database versions are OJVM PSU patches available for ?
  • OJVM PSU patches are released as part of the Critical Patch Update program and are only available for database versions covered by error correction support. As of January 2015 patches have been released for the following database versions:
    • 11.1.0.7
    • 11.2.0.3
    • 11.2.0.4
    • 12.1.0.1
    • 12.1.0.2
  • Latest patch numbers and availability can be found in Document:756671.1 "Oracle Recommended Patches -- Oracle Database", or by following links in the latest Critical Patch Update under Document:467881.1.
  • For other database versions you can use the "Mitigation Patch".
• On Windows platforms the latest bundle reports conflicts with a previously installed OJVM patch
  • It is normal and expected for the latest bundle to report conflicts with a previously installed OJVM patch. Each Windows bundle patch has a corrisponding OJVM patch. The standard procedure to apply bundle and OJVM patch in windows environment is:
    • Rollback the old OJVM patch
    • Apply the latest bundle patch
    • Apply the latest OJVM patch
• Do I need to patch database client installs with OJVM PSU ?
  
  • The OJVM PSU patch is not applicable for client installs
  • The JDBC Patch is applicable to client installs
• Do I need to patch Java clients ?
  • For Java clients see the latest Critical Patch Update availability information for "Oracle Java SE"
    • eg: For October 2014 Java SE patch availability information see Document:1931846.1
  • Java clients using JDBC should also be patched with the JDBC Patch. If the ojdbc*jar files used by the client were originally copied from an ORACLE_HOME install then it is advisable to update those ojdbc*jar files after the JDBC Patch has been applied.
• Do I need to remove the mitigation patch when I install the OJVM PSU patch ?
  • You do not need to rollback the mitigation patch, but you must execute "dbms_java_dev.enable" before applying the OJVM PSU patch.
  • With the mitigation patch left in place you can still use "dbms_java_dev.disable" if required.
    
• Why does this document mention using STARTUP UPGRADE for OJVM PSU post install steps when the README does not?
  • ORA-7445 errors may be reported if anything in the database tries to use the JavaVM after OJVM PSU has been applied but before OJVM PSU post install steps have executed. This can affect databases using Change Data Capture (CDC), or databases with job/s that use JavaVM directly or indirectly etc.. This document suggests to use STARTUP UPGRADE for the OJVM PSU post install steps as that mode disables system triggers and jobs and so reduces the chance of something trying to use the JavaVM before the post install steps have completed. It is not mandatory to use UPGRADE mode, and in many cases it is not required. If you do hit ORA-7445 errors on a normal (or restricted) startup after applying OJVM PSU then using UPGRADE mode just for the OJVM PSU post install steps should allow you to proceed.
  • From April 2015 onwards OJVM PSU README now indicates to use STARTUP UPGRADE
  • In RAC environments the cluster_database parameter should be set to FALSE in order to STARTUP UPGRADE
• Is there a problem if I ran DB PSU post install steps before OJVM PSU steps ?
  • It is valid to run DB PSU post install steps before OJVM PSU steps but this will result in additional invalidations / recompilations and may extend the period of time taken to complete the steps. Be sure to check the post install logs just in case there was some unexpected error.
• How often are OJVM PSU patches released ?
  • Patches will be released as required at the same time as other Critical Patch Update patches.
• Will future OJVM PSU be RAC Rolling installable ?
  
  • Future OJVM PSU on versions up to and including 12.1.0.2 are unlikely to be RAC Rolling installable
• Does OJVM PSU include non security fixes ?
  • OJVM PSU may include some high impact non-security OJVM fixes
• How can I tell if the mitigation patch is installed and enabled ?
  • The mitigation patch creates a view called "JAVA_DEV_STATUS"
  • If the view is missing the mitigation patch is not installed
  • If view is present then selecting from the view should return a single row with column JAVA_DEV_ENABLED showing YES or NO to indicate if Java development is currently enabled (YES) or disabled (NO).
• Why are there 2 entries for "jvmpsu.sql" in DBA_REGISTRY_HISTORY after applying DB PSU (or equivalent) and OJVM PSU ?
  • Depending on the exact patching order used DB PSU post install steps may also run the jvmpsu.sql script - this is normal and expected.
  • You should always run complete post install steps as documented regardless of content of DBA_REGISTRY_HISTORY.
• Why do I get ORA-942 errors from DBMS_JAVA_DEV ?
  • This can occur if the database does not have a valid JavaVM installed.
    eg:
    
    • ORA-00942: table or view does not exist
      ORA-06512: at "SYS.DBMS_JAVA_DEV", line 54
      ORA-06512: at line 1
  • If you get such errors then check if the database has JavaVM installed (see earlier) - if not then no post install steps are required and the error can be ignored.