We decided to apply April 2022 CPU to EBS. To make patching consistent in both db side and EBS side, DBA applied 2022 April database PSU together with database 19c upgrade. The document for applying April 2022 CPU is 2856621.1. I followed below steps and order to apply it. As always, first of all identify which patches are required and download all patch files to a central location, such as /s46/path/to/CPU_April22
1. Confirm only patch 30399994 was applied:
SQL> select * from ad_bugs where bug_number in (31856779, 30399994);
30399994 Patch R12.ATG_PF.C.delta.9 (Application Technology Family)
31856779 Patch R12.ATG_PF.C.delta.10
2. Identify and decide 9 EBS patches will be applied in this time:
CPU patch:
33782739 RELEASE 12.2: CPU PATCH FOR APR 2022
Post Patching:
33908208:R12.FWK.C (12.2.10 CONSOLIDATED PATCH FOR APR CPU 2022 FIXES FOR FWK)
32980025:R12.AK.C (Application Framework)
33286000:R12.OAM.C (Oracle Applications Manager)
33625264:R12.OWF.C (Workflow)
Oracle support recommended when troubleshooting oacore (optional):
34005885:R12.FWK.C ORACLE APPL FRAMEWORK (FWK) RELEASE 12.2.10 BUNDLE 9
33659063:R12.FWK.C Image Patch for 12.2.10 Post Consolidated Patch Product OAF
33973100:R12.FND.C - CONNECTION LEAK _PAGES._JSP._FND.__CLOSE._JSPSERVICE
Patch for a bug when re-creating AZ tables (Doc ID 2816670.1):
p31791566_R12.AZ.C_R12_GENERIC.zip
$ cd $PATCH_TOP
$ cp /s46/path/to/CPU_April22/EBS/*.zip . (9 zip files)
unzip p33782739_12.2.0_R12_LINUX.zip
unzip p33908208_R12.FWK.C_R12_GENERIC.zip
unzip p32980025_R12.AK.C_R12_GENERIC.zip
unzip p33286000_R12.OAM.C_R12_GENERIC.zip
unzip p33625264_R12.OWF.C_R12_GENERIC.zip
unzip p33659063_R12.FWK.C_R12_GENERIC.zip
unzip p33973100_R12.FND.C_R12_GENERIC.zip
unzip p34005885_R12.FWK.C_R12_GENERIC.zip
unzip p31791566_R12.AZ.C_R12_GENERIC.zip
$ echo $FILE_EDITION
run
Note: adgrants.sql from patch 33782739 is an older version than the one in $APPL_TOP/admin
$ adop phase=apply apply_mode=downtime patches=33782739 patchtop=$NE_BASE/EBSapps/patch
<== it may take one hour
Post-patch steps (from README):
a) Run autoConfig in RUN file system on all Apps-tie nodes
$ ./adautocfg.sh
b) $ perl $AD_TOP/bin/admkappsutil.pl
c) Run autoConfig on database node (Note: I skipped this step)
$ adconfig.sh contextfile=$ORACLE_HOME/.../appsutil/$CONTEXT_NAME.xml
$ adop phase=apply apply_mode=downtime patches=33908208,34005885,33659063,33973100,32980025,33286000,33625264 patchtop=$NE_BASE/EBSapps/patch
$ adop phase=apply apply_mode=downtime patches=31791566 patchtop=$NE_BASE/EBSapps/patch
-- Verify all 10 patches were applied to all nodes
SQL> SELECT adb.bug_number, aas.name appl_top_name, adb.creation_date, adb.language,
decode(ad_patch.is_patch_applied('R12',aas.appl_top_id,adb.bug_number,adb.language),'EXPLICIT','APPLIED','NOT_APPLIED','NOT APPLIED') status
FROM ad_bugs adb,
(select distinct appltop_id appl_top_id, node_name name from ad_adop_sessions
where node_name in (select node_name from ADOP_VALID_NODES) ) aas
where adb.bug_number in (
'33782739',
'33908208',
'34005885',
'33659063',
'33973100',
'33207251',
'32980025',
'33286000',
'33625264',
'31791566'
) order by creation_date desc, adb.bug_number,aas.name,adb.language;
3. Run latest ETCC (patch 17537119). This will help in identifying and confirming what patches will be applied.
4. Apply patches for Oracle WebLogic Server (WLS) 10.3.6.0
$ cd $FMW_HOME/utils/bsu/cache_dir
$ cp /s46/path/to/CPU_April22/WLS/*.zip . (7 .zip files)
$ mv p33800106_1036_Generic.zip ../.
$ cd ..
$ ls
$ unzip p33800106_1036_Generic.zip (from 33845432)
$ chmod +x bsu_update.sh
$ bsu.sh -version
$ ./bsu_update.sh install <== it runs very quick.
Installing Smart Update V5...
Updating bsu modules
Update was successful.
$ bsu.sh -version
$ cd cache_dir
$ unzip -o p33791826_1036_Generic.zip (33946345 WLS PATCH SET UPDATE 10.3.6.0.220419)
$ unzip -o p13845626_10360220419_Generic.zip (33812339 CONSOLIDATED FMW FIXES)
$ unzip -o p13964737_10360220419_Generic.zip (zip file from 33812339)
$ unzip -o p33560682_1036_Generic.zip (from 33812339)
$ unzip -o p31241365_1036_Linux-x86-64.zip (from 33812339)
$ unzip -o p31042881_1036_Generic.zip (from 33812339)
$ cd ..
$ ./bsu.sh -prod_dir=$FMW_HOME/wlserver_10.3 -status=applied -verbose -view | egrep -i "T64V|UCI6|N3YF|9UNH|CW7X|7BIA"
-- it detects conflicts
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=T64V -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
Conflict(s) detected - resolve conflict condition and execute patch installation again
Conflict condition details follow:
Patch T64V is mutually exclusive and cannot coexist with patch(es): YVDZ,1YWL,HJT5
./bsu.sh -remove -patchlist=YVDZ -prod_dir=$FMW_HOME/wlserver_10.3
./bsu.sh -remove -patchlist=HJT5 -prod_dir=$FMW_HOME/wlserver_10.3
./bsu.sh -remove -patchlist=1YWL -prod_dir=$FMW_HOME/wlserver_10.3
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=T64V -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
No conflict(s) detected
Installing Patch ID: T64V..
Result: Success
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=UCI6 -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
No conflict(s) detected
Installing Patch ID: UCI6.
Result: Success
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=N3YF -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
No conflict(s) detected
Installing Patch ID: N3YF..
Result: Success
-- it detects a conflict
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=9UNH -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
Conflict(s) detected - resolve conflict condition and execute patch installation again
Conflict condition details follow:
Patch 9UNH is mutually exclusive and cannot coexist with patch(es): DN1F
$ ./bsu.sh -remove -patchlist=DN1F -prod_dir=$FMW_HOME/wlserver_10.3
Checking for conflicts..
No conflict(s) detected
Removing Patch ID: DN1F..
Result: Success
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=9UNH -prod_dir=$FMW_HOME/wlserver_10.3
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=CW7X -prod_dir=$FMW_HOME/wlserver_10.3
$ ./bsu.sh -install -patch_download_dir=$FMW_HOME/utils/bsu/cache_dir -patchlist=7BIA -prod_dir=$FMW_HOME/wlserver_10.3
$ ./bsu.sh -prod_dir=$FMW_HOME/wlserver_10.3 -status=applied -verbose -view | egrep -i "T64V|UCI6|N3YF|9UNH|CW7X|7BIA"
Patch ID: T64V
PatchContainer: T64V.jar
Patch ID: UCI6
PatchContainer: UCI6.jar
33791826 , Patch ID :T64V) in the environment
Patch ID: N3YF
PatchContainer: N3YF.jar
U (Patch Number:33791826 , Patch ID :T64V ) in the environme
Patch ID: 9UNH
PatchContainer: 9UNH.jar
Patch ID: CW7X
PatchContainer: CW7X.jar
Patch ID: 7BIA
PatchContainer: 7BIA.jar
5. apply 4 patches for Oracle Fusion Middleware (FMW) 11.1.1.9 OHS - Web Tier
$ echo $IAS_ORACLE_HOME
$ export ORACLE_HOME=$IAS_ORACLE_HOME
$ echo $ORACLE_HOME
$RUN_BASE/FMW_Home/webtier
$ export PATH=$IAS_ORACLE_HOME/OPatch:$PATH
$ which opatch
$RUN_BASE/FMW_Home/webtier/OPatch/opatch
cd /s46/path/to/CPU_April22/OH (7 zip files)
Note: when all .zip files are saved in a shared location, only unzip them once for all nodes/instances
$ unzip p33963904_111190_Linux-x86-64.zip
$ cd 33963904
$ opatch apply -jre $ORACLE_HOME/jdk/jre
Oracle Interim Patch Installer version 11.1.0.12.9
Copyright (c) 2022, Oracle Corporation. All rights reserved.
... ...
Patching component oracle.ohs2, 11.1.1.9.0...
RollbackSession removing interim patch '31047338' from inventory
OPatch back to application of the patch '33963904' after auto-rollback.
Patching component oracle.ohs2, 11.1.1.9.0...
Verifying the update...
Patch 33963904 successfully applied
$ cd ..
$ unzip p32287205_111190_Linux-x86-64.zip
$ cd 32287205
$ opatch apply
... ...
Patching component oracle.ldap.rsf, 11.1.1.9.0...
Patching component oracle.rdbms.rsf, 11.1.0.7.0...
RollbackSession removing interim patch '31304503' from inventory
OPatch back to application of the patch '32287205' after auto-rollback.
Patching component oracle.ldap.rsf, 11.1.1.9.0...
Patching component oracle.rdbms.rsf, 11.1.0.7.0...
Verifying the update...
Patch 32287205 successfully applied
$ cd ..
$ unzip p32928416_111190_Linux-x86-64.zip
$ cd 32928416
$ opatch apply
... ...
Patching component oracle.opmn, 11.1.1.9.0...
Verifying the update...
Patch 32928416 successfully applied
$ cd ..
$ unzip p33144848_111190_Linux-x86-64.zip
$ cd 33144848
$ opatch apply -jre $ORACLE_HOME/jdk/jre
... ...
Patching component oracle.wlsplugins, 11.1.1.9.0...
Verifying the update...
Patch 33144848 successfully applied
$ opatch lsinventory
Interim patches (17) :
6. apply 2 patches for Oracle Fusion Middleware (FMW) - Oracle Common
$ export ORACLE_HOME=$FMW_HOME/oracle_common
$ export PATH=$ORACLE_HOME/OPatch:$PATH
$ echo $ORACLE_HOME
$FMW_HOME/oracle_common
$ which opatch
$FMW_HOME/oracle_common/OPatch/opatch
$ cd ..
$ unzip p31985571_111190_Generic.zip
$ cd 31985571/oui
$ opatch apply
... ...
Patching component oracle.jrf.adfrt, 11.1.1.9.0...
RollbackSession removing interim patch '30368663' from inventory
OPatch back to application of the patch '31985571' after auto-rollback.
Patching component oracle.jrf.adfrt, 11.1.1.9.0...
Verifying the update...
Patch 31985571 successfully applied
$ cd ../..
$ unzip p26933408_111190_Generic.zip
$ cd 26933408
$ opatch apply
... ...
Patching component oracle.jrf.thirdparty.jee, 11.1.1.9.0...
Verifying the update...
Patch 26933408 successfully applied
$ opatch lsinventory
Interim patches (14) : ...
7. apply 1 patch for Oracle Fusion Middleware 10.1.2.3 - Forms and Reports
Start a new OS session
$ echo $FILE_EDITION
run
$ echo $ORACLE_HOME
$RUN_BASE/EBSapps/10.1.2
$ which opatch
$RUN_BASE/EBSapps/10.1.2/OPatch/opatch
$ cd /aetnas46/oracmprod/R122patch_IFSPGRND/CPU_April22/OH
$ unzip p32922089_101232_LINUX.zip
$ cd 32922089
$ opatch apply
... ...
Removing patch 26825525...
Applying patch 32922089...
OPatch succeeded.
$ opatch lsinventory
44 patches.
8. Run ETCC script again to confirm all required technology patches were applied.
9. Testing and and after signed-off, run FS_CLONE.
$ cd $ADMIN_SCRIPTS_HOME
$ ./adautocfg.sh
$ ./adstrtal.sh
Do a backup on file systems and then run fs_clone.
$ adop phase=fs_clone
Additional notes:
An Oracle document shows Log4j vulnerabilities are mitigated by April 2022 CPU patches. Seems Oracle collected all remediations into this patch set. Here is the document (as of July 30 2022):
CVE-2021-4104/CVE-2022-23302/CVE-2022-23305/CVE-2022-23307 Advisory for Oracle E-Business Suite (Apache Log4j 1.x Vulnerabilities) (Doc ID 2858304.1)
SYMPTOMS
These vulnerabilities have various conditions of exploitability. For example, to be maliciously exploited vulnerability CVE-2022-23307 requires that the attacker be able to create a malicious log entry and either the attacker or a customer run the Chainsaw component on the targeted system. Because of these various conditions of exploitability and the way the Log4j components are used in Oracle products, the reported CVSS Base Scores for these vulnerabilities do not necessarily reflect the criticality of the issues in the context of their use in an Oracle product. These non-default configurations of Log4j are not used by Oracle E-Business Suite.
CVE-2021-4104 (CVSS 7.5) deserialization of untrusted data in JMSAppender
Vulnerable if: log4j configuration uses JMSAppender (not used by default)
CVE-2022-23302 (CVSS 8.8) deserialization of untrusted data in JMSSink
Vulnerable if: log4j configuration uses JMSSink (not used by default)
CVE-2022-23305 (CVSS 9.8) SQL injection in JDBCAppender
Vulnerable if: log4j configuration uses JDBCAppender (not used by default)
CVE-2022-23307 (CVSS 9.8) Chainsaw GUI logviewer (for log4j's XML output)
Vulnerable if: using chainsaw
PATCHES
The following patches are available to mitigate the Log4j related vulnerabilities. If you find Log4j in other components not listed here, file a service request against the respective components.
Core Oracle E-Business Suite Functionality
Apply the following patches:
• For Oracle E-Business Suite Release 12.2.x with WLS 10.3.6 and FMW 11.1.1.9:
o Apply EBS April 2022 CPU Patch 33782739.
o Apply WLS 10.3.6 overlay Patch 33796519, which is included in Patch 33570839, on top of the 10.3.6 January 2022 PSU. This patch is included in Patch 33946345 EBS REHOSTED: 33791826 WLS PATCH SET UPDATE 10.3.6.0.220419.
o Apply WLS 10.3.6 Smart Update V5 Patch 33845432, which is also included in Patch 33570839 EBS RELEASE 12.2 CONSOLIDATED FMW FIXES FOR JAN 2022 and subsequent Critical Patch Updates (CPUs).
o Apply FMW 11.1.1.9 Patch 33960746 (to oracle_common).
The following occurrences of log4j jar files are modified by the aforementioned patches:
• FMW_Home/modules/com.bea.core.apache.log4j_1.2.13.jar
• FMW_Home/modules/com.bea.core.apache.log4j_1.1.0.0_1-2-15.jar
• FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
• FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.8.jar
• FMW_Home/wlserver_10.3/server/lib/wlstestclient.ear/webapp.war/log4j-1.2.8.jar
• FMW_Home/patch_wls1036/backup/backup.jar/wlstestclient.ear/webapp.war/log4j-1.2.8.jar
• FMW_Home/oracle_common/sysman/archives/fmwctrl/app/em.ear
• FMW_Home/oracle_common/sysman/archives/applications/11_1_1_0_0_emcore.war
• FMW_Home/oracle_common/sysman/jlib/log4j-core.jar
Any occurrences of log4j jar files in these directories can be manually removed:
• All Log4j libraries under the following directories:
o /clone (such as …/EBSapps/comn/clone/)
o /adopclone (such as …/EBSapps/comn/adopclone_xxxxx/)
o /inventory (such as …/EBSapps/10.1.2/ccr/inventory/)
o /patch stage (such as .../bsu/cache_dir/ and .../.patch_storage/)
o FMW_Home/user_projects/domains/EBS_domain/servers/AdminServer/tmp/_WL_user/emcore/28c293/WEB-INF/lib/log4j-core.jar
Shut down the WLS server before removing this file. After a while, the library might come back again which is the patched library.
o Run the following commands to stub out the log4j.jar under the 10.1.2 Oracle home:
$ cd <ORACLE_HOME>
$ perl -e print "" > ./sysman/admin/emdrep/lib/log4j.jar
o Run the following commands to stub out the EAR file under the 10.1.2 Oracle home for Oracle E-Business Suite Release 12.2 and 10.1.3 Oracle home for Oracle E-Business Suite Release 12.1:
$ cd <ORACLE_HOME>
$ perl -e print "" > ./oc4j/j2ee/oc4j_applications/applications/isqlplus.ear
Our analysis of the following occurrences of log4j v1.x indicates that these can be considered false positives. These instances are false positives since they do not contain the vulnerable classes.
The following Log4j jar files are not impacted by the CVEs listed in this note since they do not contain the vulnerable classes:
• 10.1.2/sysman/jlib/log4j-core.jar
• 10.1.2/OPatch/ocm/ocm.zip/core.jar/payload.zip/log4j-core.jar
• 10.1.2/diagnostics/lib/ojdl-log4j.jar
• FMW_Home/Oracle_EBS-app1/ccr/lib/log4j-core.jar
• FMW_Home/Oracle_EBS-app1/oui/jlib/lib/log4j-core.jar
• FMW_Home/Oracle_OAMWebGate1/oui/jlib/jlib/log4j-core.jar
• FMW_Home/webtier/OPatch/ocm/lib/log4j-core.jar
• FMW_Home/webtier/OPatch/ocm/ocm.zip/log4j-core.jar
• FMW_Home/webtier/OPatch/ocm/ocm.zip/core.jar/payload.zip/log4j-core.jar
• FMW_Home/webtier/ccr/lib/log4j-core.jar
• FMW_Home/webtier/oui/jlib/jlib/log4j-core.jar
• FMW_Home/oracle_common/OPatch/ocm/lib/log4j-core.jar
• FMW_Home/oracle_common/OPatch/ocm/ocm.zip/log4j-core.jar
• FMW_Home/oracle_common/OPatch/ocm/ocm.zip/core.jar/payload.zip/log4j-core.jar
• FMW_Home/oracle_common/modules/oracle.odl_11.1.1/ojdl-log4j.jar
• DBhome/sysman/jlib/ocm/log4j-core.jar
• DBhome/oui/jlib/jlib/log4j-core.jar
• DBhome/oc4j/j2ee/home/applications/ascontrol.ear/ascontrol.war/log4j-core.jar
• DBHome/ccr/lib/log4j-core.jar
• DBHome/javavm/lib/dbhadoop12101.jar
Vulnerability NOTES:
In another Oracle document ID 2827804.1 (CVE-2021-44228/CVE-2021-45046/CVE-2021-44832/CVE-2021-45105 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities), the Core Oracle E-Business Suite Functionality section asks to apply EBS patch 33672402:R12.TXK.C (in early 2022) to mitigate the vulnerability in Oracle E-Business Suite 12.2 associated with
CVE-2021-44228,
CVE-2021-45046,
CVE-2021-44832,
CVE-2021-45105
It patches file $COMMON_TOP/java/lib/log4j_core.jar.
No comments:
Post a Comment