This document discusses Oracle database security updates and patching. It begins by addressing common questions and concerns about patching, such as whether patching is needed if behind a firewall, how often to apply proactive bugfixes, and potential issues like downtime and breakage. It then covers the different types of proactive patches, how to apply them to reduce downtime, and resources for further information. The conclusion emphasizes the importance of reading the patch README for installation instructions and details.
4. About me
ā¢ More than third of my life with Oracle tech
ā¢ OCE, OCP, OCM
ā¢ Co-founder of DBA Competence Center Ltd.
ā¢ Trainer at Oracle University
ā¢ Speaker at LVOUG, UKOUG, Harmony and
other technology seminars
5. Sort of Agenda
ā¢ Few existential questions
ā¢ Some motivational stuff
ā¢ Bits of technical information
6.
7. ???
ā¢ My databases are behind
firewall, do I need security
patches?
ā¢ Should I apply proactive
bugfixes?
ā¢ How often?
ā¢ Do I need downtime? How
long?
ā¢ What if I break something?
ā¢ There are so many
recommended patches!
Which one is right for me?
ā¢ If it works, do not fix it!
ā¢ Patching implies
downtime
ā¢ Patch will break my DB,
execution plans,
everything
ā¢ Patch will introduce new
errors or new features
ā¢ I need to test patch
ā¢ Patching is extra work!
12. Patch is Like a Vaccine
ā¢ If you skip common sence, here are another
reasons to apply patches:
ā Security standard recommendations (PCI/DSS,
Oracle Support Compliance, internal rules, etc.)
ā Oracle Support will Ā«blameĀ» you when you hit
Ā«that bugĀ» while being unpatched
ā Finally it justifies your position as a DBA in a world
of Ā«self managing databasesĀ» ļ
ā Proactive patches are already tested and
evaluated by Oracle development
17. Whatās New?
ā¢ Critical Security patches (CPU/SPU, pre-12c)
contain only security fixes
ā¢ PSU/RU/RUR contain security fixes plus
bugfixes
ā¢ RU (Update) vs RUR (Revision) ā 12.2+
ā Release Updates are like PSUs
ā Revisions contain previous RU plus additional fixes
18. How To Apply
ā¢ Read the README!!!
ā¢ OPatch utility ā Patch: 6880880 (get the latest
one for your version)
ā¢ BP, Combo or System patch ā
# opatchauto
ā¢ RU, RUR, CPU/SPU/PSU ā
$ opatch apply
19. How to Reduce Downtime
ā¢ RAC rolling installable
ā¢ DG Standby First installable
ā¢ Online (hot) patching
ā¢ Fiddeling with software provisioning
20. ā¢ Rolling Patch - OPatch Support for RAC (Doc ID
244241.1
ā¢ Oracle Patch Assurance - Data Guard Standby-
First Patch Apply (Doc ID 1265700.1)
ā¢ How To Setup a Rapid Home Provisioning
(RHP) Server and Client (Doc ID 2097026.1)
ā¢ Minimal downtime patching via cloning 12c
ORACLE_HOME directories with OPlan (Doc ID
2087150.1)
21. What about OJVM Patch?
ā¢ It is recommended, and Ā«almostĀ» mandatory
ā¢ Yes, even if you do not use JVM in your
database!
ā¢ Not RAC Rolling (?) nor DG Standby-First
installable, hence implies outage
ā¢ Depending on your JVM usage downtime can
be mitigated:
ā Mitigation Patch, or
ā Perform postinstall with Ā«open normalĀ» database
22.
23. ā¢ Oracle Recommended Patches -- "Oracle
JavaVM Component Database PSU and
Update" (OJVM PSU and OJVM Update)
Patches (Doc ID 1929745.1)
ā¢ RAC Rolling Install Process for the "Oracle
JavaVM Component Database PSU/RU" (OJVM
PSU/RU) Patches (Doc ID 2217053.1)
24. Ā«Installed but DisabledĀ» Mode
ā¢ No fixes that change execution plan were
included in PSUsā¦ untilā¦
ā¢ Fixes to the execution plan are included
starting with 12.1.0.2 Apr18 DB BP
ā¢ Such fixes will be DISABLED by default
ā¢ New Feature: Automatic Fix Control
Persistance
ā¢ New DBMS_OPTIM_BUNDLE package
25. Further Reading
ā¢ README of individual patch!
ā¢ Oracle Patch advisory
https://www.oracle.com/technetwork/topics/security/
alerts-086861.html
ā¢ OPatch User's Guide and Opatch FAQ (Doc ID
1486109.1)
ā¢ Release Update Introduction and FAQ (Doc ID
2285040.1)
ā¢ Automatic Fix Control Persistence (FCP) for Database
Proactive Bundle Patch (Doc ID 2147007.1) (12.2+)
ā¢ Patch Set Updates for Oracle Products (Doc ID
854428.1) (up to 12.1)
Nedaudz par mani...
SÄkumÄ es gribÄtu nedaudz iepazÄ«ties ar auditoriju ā cik no jums ir dba un cik cilvÄki, kuri traucÄ dba dzÄ«vot? PiemÄram, power users, vai cilvÄki no droŔības departamenta, vai vadÄ«tÄji, kuri nosaka attÄ«stÄ«bas virzienus vai biznesa prasÄ«bas
Nedaudz par mani...
SÄkumÄ es gribÄtu nedaudz iepazÄ«ties ar auditoriju ā cik no jums ir dba un cik cilvÄki, kuri traucÄ dba dzÄ«vot? PiemÄram, power users, vai cilvÄki no droŔības departamenta, vai vadÄ«tÄji, kuri nosaka attÄ«stÄ«bas virzienus vai biznesa prasÄ«bas