了解Oracle Critical Patch Update

Oracle Critical Patch Update是什么?

Critical Patch Update(以下简称CPU),是Oracle在2005年开始引入的产品安全更新策略。一般来说CPU包含了Oracle产品安全漏洞的修复补丁集(set of security bug fix)。CPU最早的雏形出现在2005年,该项目致力于为客户周期性地提供累积性的补丁以修复安全漏洞。

通常CPU补丁会在每季度开始第一个月的15号发布,按照发布日期的不同可以划分为:

  • January :    CPU JAN
  • April :          CPU APR
  • July :           CPU JUL
  • October :    CPU OCT

存在以下3种类型的CPU补丁:

  • Normal CPU:在10.2.0.2之前所有的CPU均是Normal CPU
  • Molecular CPU:Molecular解释为分子,从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布,之后我们会介绍Normal/Molecular格式的区别
  • CPU Bundle Patch:由于在Windows平台无法利用替换共享库文件后relink的方式来更新Oracle binary,所以Oracle特别针对Windows发布区别于Unix上Normal/Molecular CPU的CPU Bundle patch(也因此Bundle Patch会别较大)。Windows bundle patches通常每一个季度都会发布

接下来我们通过2个实例来了解Normal CPU与Molecular CPU之间的区别。Linux x86平台上的CPUJAN2009 for 9.2.0.8的bug#补丁号为7592365。我们可以通过该补丁号从My Oracle Support上下载到压缩为zip的补丁包,试着将该压缩包解压后我们会发现该CPU补丁包的目录结构类似于一个one-off patch(一次性补丁):

$cd 7592365
$ls
/etc     /files       readme

之前已经介绍过了从10.2.0.3开始以后版本的CPU patches均以Molecular格式发布。我们选取Linux x86平台上的CPUAPR2009 for 10.2.0.4为Molecular CPU的示例,下载并解压该CPU后会发现补丁包目录下有不少以Patch number为名的子目录,这就是Molecular-分子式的寓意所在,其实你也可以简单地理解为是对散装的安全补丁打了包:

$cd 8290506
$ls
7155248  7155251  7155254  7375613  7609058  8309592  8309637  cpu_root.sh
7155249  7155252  7197583  7375617  8290506  8309623  8309639  patchmd.xml
7155250  7155253  7375611  7609057  8309587  8309632  8309642  README.html

以上每一个数字代表一个molecules,称作分子补丁
注意!一个molecules可能包含有多个小的fix!!

Normal CPU与Molecular CPU间的差异还表现在所包含的补丁类型上。Normal CPU也被叫做Classic CPU即传统CPU,不同于molecular CPU,Normal CPU不仅包含安全漏洞修复,针对于特定的产品、产品版本及平台还可能包含了非安全的补丁。

而Molecular CPU(在MOS上有时也被叫做New format CPU)从10.2.0.3开始改变了既往Normal CPU的习惯,Molecular CPU仅仅包含安全漏洞补丁(security bug fixes),这是目前CPU与另一种补丁更新策略Patch Set Update(PSU)间的主要区别之一(PSU在格式上类似于Normal CPU),CPU专门负责修复安全漏洞,而PSU往往会包含CPU(INCLUDES CPU)。

第一个以Molecular形式发布的是CPU是CPUJUL2007(DB-10.2.0.3-MOLECULE-013-CPUAPR2007):

此外根据Oracle Product lifetime的介绍CPU的发布遵循几个原则:

  1. CPU仅为最新的patchset补丁集发布
  2. 对于之前的patchset补丁集存在一个宽限期,在此宽限期内仍会针对老的patchset发布CPU,关于这个宽限期(grace period)在MOS文档<Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]>中有详细描述,实际上如Fusion Middleware、Application等Oracle产品的维护保障期也受到该宽限期的影响,以下摘录Database部分的附录:
Grace Period: up to 1 year, minimum 3 months.
You have up to one year from the release of a patch set on the first platform (currently Linux x86) to plan for
and install the new patch set. During that year we will create new bug fixes for the previous patch set.
This grace period is effective with the release of 10.2.0.4.
For example, 10.2.0.4 was released first on Linux x86. The release date was 22 February 2008.
Until 22 February 2009 we will create new fixes for both 10.2.0.3 and 10.2.0.4.
After that date new fixes for 10.2.0.3 will cease on all platforms and we will only create new fixes for 10.2.0.4.
Grace period for current patch sets can be found on Metalink in Note 742060.1

Exceptions:
3 Month minimum grace period: Since the release of a patch set on different platforms happens over time,
not all platforms will be supported for error correction for the full year. Because of this,
we will always support the previous patch set for error correction for at least 3 months.
For example, if the initial release of patchset A.x.y.z is on January 1st on Linux x86 and the same patch set
is released on Univac on November1, Oracle will still provide new patches on Univac A.x.y.z-1 until
the end of January of the next year. Outside of the specific exceptions listed below,
CPUs will NOT be provided beyond the initial 12-month grace period.

Bundle patches for Windows: Oracle releases patches for Windows via periodic patch bundles instead of
interim patches. Patch bundles are released periodically (at least quarterly), and include the security fixes
from that quarter’s Critical Patch Update.

举例来说10R2上的CPUJAN2009发布时有10.2.0.3和10.2.0.4这2个版本的,因为当时10.2.0.3还在宽限期内;而到了CPUAPR2009也就是三个月后,10.2.0.3的宽限期也超过了,所以10GR2上的CPUAPR2009只有10.2.0.4一个版本的了。

在Unix平台上10.2.0.3之前(包含9iR2,10gR1,10.2.0.2),因为当时是以Normal格式发布的CPU,用户apply CPU时要么不打,要打就必须打上整个CPU,这导致出现补丁冲突(conflict patch)的概率大大提高了。依照当时的support流程,在Oracle发布CPU的4周内用户若发现CPU与现有patch间存在冲突,那么可以提交Service Request让Oracle开发部门去开发出一个超集合并(superset merge)的CPU版本,若用户在超过4周后才提交SR那么会被告知等下一次CPU的发布,Oracle在接到开发合并版本CPU的要求后会在以后的2周内(也就是CPU发布的第六周)发布用户需要的merged cpu。CPUJAN2009发布于2009年1月15日,假设我是一家对数据库安全性要求极其严格的公司,我希望实施该CPUJAN2009以提高自身数据库的安全,那么如果我在1月15日即发现CPUJAN2009与现有补丁存在冲突并通过MOS向oracle报告了该冲突问题,那么Oracle理论上会在2009年的2月28日向我提供相应的超集合并补丁;若我在2月15日才刚刚发现冲突的存在,那么我将不得不等待下一次CPU的发布,在这个假设中是4月15日,也就是2个月之后。

实施Normal CPU的原子性要求给用户和Oracle Support都带来了不小的工作量,为了缓解这种矛盾,Molecular CPU应运而生。

从10.2.0.3开始发布的Molecular CPU在apply时没有如Normal CPU那样强的原子性要求,即我们可以安装Molecular CPU中所包含的一部分安全补丁,而跳过一些存在冲突的安全补丁。此外因为Molecular CPU的特有格式,patch conflict补丁冲突仅可能发生在某个特定的分子补丁(molecule)上,而不会整个补丁包都存在冲突。针对这部分存在冲突的分子补丁(一般来说就是普通的one-off patch),用户可以随时向Oracle支持部分提出合并patch的请求,这打破了Normal CPU所造成的不便。如上文所述Molecular CPU仅针对最新的补丁集(patchset)或仍处在宽限期(grace period)的补丁集发布。

从理论上讲在实施新的Molecular CPU时,一般不会出现如Normal CPU那样opatch报整个补丁都存在冲突的现象,取而代之冲突会存在于个别molecule分子补丁上。在此情形下用户可以跳过存在冲突的molecule,以便安装剩余的无冲突的安全补丁,并申请对已安装的one-off patch和存在冲突的molecule实施合并。one-off patch merge是Oracle Support日常的客户服务项目,所以不用担心得不到merge patch,当然这仍是在最新补丁集或宽限期的前提下,举例来说如果现在我们去申请10.2.0.3上的patch merge则很可能被Oracle Support以要求升级为由来拒绝。

此外我们需要铭记CPU补丁总是累加(cumulative)的,这一点同PSU(Patch Set Update)恰恰不同!新的PSU补丁可能未包含之前发布的PSU补丁内容,而CPU补丁总是包含所有之前的CPU内容。举例来说10.2.0.4.5即10204上的PSU5就没有包含10.2.0.4.4(PSU4)中的所有fix,这要求我们在安装PSU5时以PSU4为基础(Patch Set Update PSU 10.2.0.4.5 is an overlay PSU whose base PSU is 10.2.0.4.4. This patch can only be applied in an Oracle home for which PSU 10.2.0.4.4 has already been installed);而10.2.0.4上的CPUAPR2011就会包含CPUJAN2011及之前的所有补丁内容。

因为传统CPU与Molecular CPU在格式上的差异,所以它们在apply时的步骤亦不相同。Normal CPU会在apply之前将所有旧的CPU全都回滚掉,以保持自身能被打上。而Molecular CPU则不那么简单粗暴,它只需要apply其所包含的新的molecules分子补丁即可,即如果之前有安装过老的CPU,那么老的cpu补丁是不动的。

同时CPU补丁的内容还会被包含在今后发布的Patch Set或Patch Set Update(PSU)中(CPU molecules in PSU),注意针对如9.2.0.8这样的最终补丁集,Oracle将不再发布新的Patchset或PSU;10.2.0.5作为10g的最终版本今后将不会再有Patchset发布,但包含了CPU的PSU仍会被发布。

很多朋友都会要问CPU补丁是否是必须要安装的?实际上并没有一个强制要求安装CPU的理由,Oracle仅仅是强烈推荐实施这些补丁以降低潜在的安全风险并降低受到骇客入侵成功的概率。

安装CPU与安装普通的one-off patch或PSU没有太大的区别,同样要使用著名的opatch工具。Normal CPU具有强的原子性要求,所以我们不可能去不完整(partial)的安装一个Normal CPU。而对于10.2.0.3后出现的Molecular CPU则没有这种限制,Molecular CPU总是由一定数量的molecules分子补丁组成,注意实际上每一个molecules还可能包含了一个或多个的小的Fix。虽然我们在没有补丁冲突的情况下,也可以选择仅安装CPU中的一个子集的molecules,但Oracle强烈推荐尽可能安装整个CPU。

我们在安装Normal CPU时使用和安装one-off patch同样简单的”opatch apply”命令。在安装Molecular CPU时的命令要负责一些,在不同需求下可能分为:

1.
安装CPU中所有的molecules

$./opatch napply <patch_location> -skip_subset -skip_duplicate

-skip_subset意为跳过那些已安装补丁的子集(subset patches--patches under  that are subsets of patches
installed in the ORACLE_HOME)

-skip_duplicate,跳过已安装过的molecule(provides the additional benefit of detecting when a molecule
patch has already been applied, as in the case of a previous CPU, and to skip application of it.
This reduces the length of time required to do the n-apply CPU installation and minimizes
the overall change to the Oracle home)

2.
安装CPU中的部分molecules

$ ./opatch napply 8290506 -id 7155248,7155249,7155250 -skip_subset -skip_duplicate

以上意为apply patch 7155248,7155249,7155250 

Invoking OPatch 11.2.0.1.3
Oracle Interim Patch Installer version 11.2.0.1.3
Copyright (c) 2010, Oracle Corporation.  All rights reserved.
UTIL session
Oracle Home       : /s01/db_1
Central Inventory : /s01/oraInventory
   from           : /etc/oraInst.loc
OPatch version    : 11.2.0.1.3
OUI version       : 10.2.0.4.0
OUI location      : /s01/db_1/oui
Log file location : /s01/db_1/cfgtoollogs/opatch/opatch2011-06-02_22-37-02PM.log

Patch history file: /s01/db_1/cfgtoollogs/opatch/opatch_history.txt

Invoking utility "napply"
Checking conflict among patches...
Checking if Oracle Home has components required by patches...
Checking skip_duplicate
Checking skip_subset
Checking conflicts against Oracle Home...
OPatch continues with these patches:   7155250  7155249  7155248  

Do you want to proceed? [y|n]
y
User Responded with: Y

Running prerequisite checks...

OPatch detected non-cluster Oracle Home from the inventory and will patch the local system only.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/s01/db_1')

Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files affected by the patch 'NApply' for restore. This might take a while...

Applying patch 7155250...

ApplySession applying interim patch '7155250' to OH '/s01/db_1'
Backing up files affected by the patch '7155250' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Updating archive file "/s01/db_1/lib/libserver10.a"  with "lib/libserver10.a/kupp.o"
Copying file to "/s01/db_1/rdbms/admin/prvtbpp.plb"
ApplySession adding interim patch '7155250' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155250 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155250 are present in Oracle Home.

Applying patch 7155249...

ApplySession applying interim patch '7155249' to OH '/s01/db_1'
Backing up files affected by the patch '7155249' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/admin/prvtdefr.plb"
ApplySession adding interim patch '7155249' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155249 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155249 are present in Oracle Home.

Applying patch 7155248...

ApplySession applying interim patch '7155248' to OH '/s01/db_1'
Backing up files affected by the patch '7155248' for rollback. This might take a while...

Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/lib/env_rdbms.mk"
ApplySession adding interim patch '7155248' to inventory

Verifying the update...
Inventory check OK: Patch ID 7155248 is registered in Oracle Home inventory with proper meta-data.
Files check OK: Files from Patch ID 7155248 are present in Oracle Home.
Running make for target ioracle
Running make for target iextjob
Running make for target iextjobo
The local system has been patched and can be restarted.
UtilSession: N-Apply done.
OPatch succeeded.

另外我们可以使用opatch lsinventory -bugs_fixed命令列出已安装的CPU/PSU

$ ./opatch lsinventory -bugs_fixed

List of Bugs fixed by Installed Patches:
Bug        Fixed by  Installed at                   Description
            Patch
---        --------  ------------                   -----------
8309642    8309642   Thu Jun 02 22:54:51 CST 2011   DB-10.2.0.4-MOLECULE-018-CPUAPR2009
8309639    8309639   Thu Jun 02 22:54:48 CST 2011   DB-10.2.0.4-MOLECULE-019-CPUAPR2009
8309637    8309637   Thu Jun 02 22:54:45 CST 2011   DB-10.2.0.4-MOLECULE-020-CPUAPR2009
8309632    8309632   Thu Jun 02 22:54:42 CST 2011   DB-10.2.0.4-MOLECULE-017-CPUAPR2009
8309623    8309623   Thu Jun 02 22:54:39 CST 2011   DB-10.2.0.4-MOLECULE-016-CPUAPR2009
8309592    8309592   Thu Jun 02 22:54:35 CST 2011   DB-10.2.0.4-MOLECULE-015-CPUAPR2009
8309587    8309587   Thu Jun 02 22:54:30 CST 2011   DB-10.2.0.4-MOLECULE-014-CPUAPR2009
7150470    8290506   Thu Jun 02 22:54:26 CST 2011   MLR BUG FOR 10.2.0.4 FOR CPUJUL2008
7375644    8290506   Thu Jun 02 22:54:26 CST 2011   MLR BUG FOR 10.2.0.4 FOR CPUOCT2008
7592346    8290506   Thu Jun 02 22:54:26 CST 2011   CPUJAN2009 DATABASE 10.2.0.4
8290506    8290506   Thu Jun 02 22:54:26 CST 2011   CPUAPR2009 DATABASE 10.2.0.4
7609058    7609058   Thu Jun 02 22:54:21 CST 2011   DB-10.2.0.4-MOLECULE-013-CPUJAN2009
7609057    7609057   Thu Jun 02 22:54:17 CST 2011   DB-10.2.0.4-MOLECULE-012-CPUJAN2009
7375617    7375617   Thu Jun 02 22:54:14 CST 2011   DB-10.2.0.4-MOLECULE-0011-CPUOCT2008
7375613    7375613   Thu Jun 02 22:54:11 CST 2011   DB-10.2.0.4-MOLECULE-0010-CPUOCT2008
7375611    7375611   Thu Jun 02 22:54:07 CST 2011   DB-10.2.0.4-MOLECULE-009-CPUOCT2008
7197583    7197583   Thu Jun 02 22:54:03 CST 2011   DB-10.2.0.4-MOLECULE-008-CPUJUL2008
7155254    7155254   Thu Jun 02 22:54:00 CST 2011   DB-10.2.0.4-MOLECULE-007-CPUJUL2008
7155253    7155253   Thu Jun 02 22:53:35 CST 2011   DB-10.2.0.4-MOLECULE-006-CPUJUL2008
7155252    7155252   Thu Jun 02 22:53:13 CST 2011   DB-10.2.0.4-MOLECULE-005-CPUJUL2008
7155251    7155251   Thu Jun 02 22:53:07 CST 2011   DB-10.2.0.4-MOLECULE-004-CPUJUL2008
7155250    7155250   Thu Jun 02 22:53:02 CST 2011   DB-10.2.0.4-MOLECULE-003-CPUJUL2008
7155249    7155249   Thu Jun 02 22:52:58 CST 2011   DB-10.2.0.4-MOLECULE-002-CPUJUL2008
7155248    7155248   Thu Jun 02 22:52:54 CST 2011   DB-10.2.0.4-MOLECULE-001-CPUJUL2008

3.
回滚CPU中的部分molecules

$ ./opatch nrollback  -id 7155248,7155249,7155250 

This will roll back patches 7155248,7155249,7155250 that have been installed under the ORACLE_HOME.
If a patch is not installed, it does not have any impact and roll back skips the patch.

Invoking OPatch 11.2.0.1.3
Oracle Interim Patch Installer version 11.2.0.1.3
Copyright (c) 2010, Oracle Corporation.  All rights reserved.
UTIL session
Oracle Home       : /s01/db_1
Central Inventory : /s01/oraInventory
   from           : /etc/oraInst.loc
OPatch version    : 11.2.0.1.3
OUI version       : 10.2.0.4.0
OUI location      : /s01/db_1/oui
Log file location : /s01/db_1/cfgtoollogs/opatch/opatch2011-06-02_22-41-49PM.log
Patch history file: /s01/db_1/cfgtoollogs/opatch/opatch_history.txt
Invoking utility "nrollback"
Patches will be rolled back in the following order:
   7155248   7155249   7155250

Running prerequisite checks...
The following patch(es) will be rolled back: 7155248  7155249  7155250
OPatch detected non-cluster Oracle Home from the inventory and will patch the local system only.
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/s01/db_1')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files affected by the patch 'NRollback' for restore. This might take a while...
Rolling back patch 7155248...
RollbackSession rolling back interim patch '7155248' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/lib/env_rdbms.mk"
RollbackSession removing interim patch '7155248' from inventory
Rolling back patch 7155249...
RollbackSession rolling back interim patch '7155249' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Copying file to "/s01/db_1/rdbms/admin/prvtdefr.plb"
RollbackSession removing interim patch '7155249' from inventory
Rolling back patch 7155250...
RollbackSession rolling back interim patch '7155250' from OH '/s01/db_1'
Patching component oracle.rdbms, 10.2.0.4.0...
Updating archive file "/s01/db_1/lib/libserver10.a"  with "lib/libserver10.a/kupp.o"
Copying file to "/s01/db_1/rdbms/admin/prvtbpp.plb"
RollbackSession removing interim patch '7155250' from inventory
Running make for target iextjob
Running make for target iextjobo
Running make for target ioracle
The local system has been patched and can be restarted.
UtilSession: N-Rollback done.
OPatch succeeded.

安装CPU补丁除去以上列出的命令外还可以参考MOS文档<OPatch Utility Guide – 10.2 [ID 554417.1]>
<Critical Patch Update – Introduction to Database n-Apply CPUs [ID 438314.1]>

完成以上opatch操作后针对既有的数据库(已经创建在使用的数据库)还需要在数据库级别运行数据字典升级脚本:

SQL> select * from global_name;
GLOBAL_NAME
--------------------------------------------------------------------------------
www.oracledatabase12g.com

1.
针对传统的Normal CPU运行

@?/rdbms/admin/catcpu.sql

2.
针对Molecular CPU补丁需要运行
sqlplus /nolog
SQL> CONNECT / AS SYSDBA

@?/rdbms/admin/catbundle cpu apply

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA

SQL> @recompile_precheck_jan2008cpu.sql
SQL> QUIT

cd $ORACLE_HOME/cpu/view_recompile
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> SHUTDOWN IMMEDIATE

SQL> STARTUP UPGRADE

SQL> @view_recompile_jan2008cpu.sql
SQL> SHUTDOWN;
SQL> STARTUP;

SQL> @?/rdbms/admin/utlrp

SQL> QUIT

以上字典升级工作的步骤可以从补丁包自带的README.HTML网页中找到,另外你可以参考MOS文档<Introduction To Oracle Database catbundle.sql [ID 605795.1]>

虽然Oracle宣称其发布的每一个CPU都经过广泛和长时间的测试,但实际Oracle不可能具体到每一个用户的环境中去做测试,所以贸然实施CPU还是可能有一定风险的。Oracle推荐用户在将CPU安装到生产系统之前,首先在自己客制化的环境中充分测试安装CPU所可能带来的影响。

我们可以从Critical Patch Update Advisory上找到Oracle产品相关的安全风险信息,作为是否实施CPU补丁的依据之一。此外随CPU附带的文档将是用户所能找到最为详细的同时也是最有用的安全信息来源。

Reference:

Database, FMW, EM Grid Control, and OCS Software Error Correction Support Policy [ID 209768.1]

<OPatch Utility Guide – 10.2 [ID 554417.1]>

<Critical Patch Update – Introduction to Database n-Apply CPUs [ID 438314.1]>

<Introduction To Oracle Database catbundle.sql [ID 605795.1]>

http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值