java psu_Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU" (OJVM PSU) Patches (文档...

From: https://support.oracle.com

What is "Oracle JavaVM Component Database PSU" ?

Oracle JavaVM Component Database PSU is released as part of the Critical Patch Update program from October 2014 onwards.

It consists of two separate patches:

One for JDBC clients - applicable to Client, Instant Client, Database and Grid ORACLE_HOMES.

This is referred to as "JDBC Patch" in the rest of this document.

One for the Oracle JavaVM component within the Oracle Database - applicable to database ORACLE_HOMEs only.

This is referred to as "OJVM PSU" in the rest of this document.

As of January 2015 the "OJVM PSU" patches include all fixes from the "JDBC Patch".

For situations where the latest OJVM PSU cannot be installed immediately there is a "Mitigation Patch" that can be used.

OJVM PSU

OJVM PSU patches:

include critical fixes for the Oracle JavaVM component within the Oracle Database

are packaged separately from the Database PSU (or equivalent) as they cannot be installed in a RAC Rolling manner, nor in Standby First manner.

Keeping them separate allows customers to choose the most appropriate patching approach for each system

Oracle has also released "Combo" patches that bundle the OJVM

PSU in the same ZIP file as DB PSU and/or GI PSU for ease of download.

The OJVM component in these "Combo" patches is in a separate

subdirectory with its own install steps still required. October 2014 "Combo" patches do not include the JDBC Patch.

are applicable to all database installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)

require the database home to be patched to at least October 2014 DB PSU (or equivalent)

include binary changes to be applied to each Database ORACLE_HOME,

and "post install" steps to be execute on each database running from the

ORACLE_HOME

from January 2015 onwards: include the JDBC fixes

For situations where the latest OJVM PSU cannot be installed

immediately there is a "Mitigation Patch" that can be used as describe

below.

What is the "Mitigation Patch" ?

For situations where the latest OJVM PSU cannot be installed immediately there is a "Mitigation Patch" that can be used. The "Mitigation Patch" is an interim solution to protect against all currently known (Jul 2015) Oracle JavaVM security vulnerabilities in the database until such time as the OJVM PSU can be installed. It can also be used to protect database versions no longer covered by error correction support.

The "Mitigation Patch":

is applicable only to database homes, not client nor Grid homes

is only applicable to databases that have JavaVM installed

has no dependency on the DB PSU (or equivalent) level

can be installed in a RAC Rolling manner

is a SQL only patch that needs to be installed and activated in each database

hence it can be installed standby first but it

requires SQL steps to be executed to be effective, which cannot be done

on a read only standby

affects use of Java and Java development in the database

has been reviewed for January 2015, April 2015, July

2015, October 2015, January 2016, April 2016 and July 2016 and provides

mitigation against all currently known OJVM vulnerabilities

can be downloaded here: Patch:19721304

Read the "Using the Mitigation Patch" section later in this document to understand the impact of this patch.

JDBC Patch

The JDBC patches:

include security fixes for JDBC

(Oct 2014 patches include fixes for CVE-2014-4289 and CVE-2014-6544 only)

are available packaged separately from the OJVM PSU and Database PSU (or equivalent) for ease of deployment to client environments

are applicable to Client, Instant Client and Grid ORACLE_HOMES The

JDBC fixes are also applicable to the Database home regardless of

whether Oracle JavaVM is used in a database or not:

For October 2014 the JDBC Patch should also be installed in the Database home

For January 2015 the OJVM PSU includes the JDBC fixes and so the

JDBC patch does not need to be installed in the Database home unless

OJVM PSU is not being installed yet

The JDBC Generic patches have been provided as a separate one-off

from July 2016 so that all customers can install that without issue.

are applicable to all installations regardless of which patching model is used (DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)

have no dependency on OJVM PSU nor Database PSU (or equivalent) patch level

can be installed in database server homes in a RAC Rolling manner

do not require the database and listeners to be shutdown for patching in non-RAC environments

do not require any post install steps be executed against individual databases

Latest JDBC patch availability information can be found in Document:756671.1 "Oracle Recommended Patches -- Oracle Database".