How to Prepare for and Find the Correct Critical Patch Update Patches for Oracle Fusion Middleware Products
(Doc ID 551453.1)
Last updated on AUGUST 17, 2021
Applies to:Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle WebLogic Server - Version 10.3.6 and later
Information in this document applies to any platform.
Oracle currently delivers the latest Critical Patch Updates (CPU) on a quarterly basis: January, April, July, and October of each year. Oracle highly recommends incorporating an upgrade plan to ensure you are on supported versions and apply supplied patches and recommended configurations to secure your environment. These may come as a Patch Set Update (PSU), a Bundle Patch (BP), or Security Patch Update (SPU).
This document provides assistance on learning about the Critical Patch Update program and finding the correct patches for Oracle Fusion Middleware products.
WATCH THE ADVISOR WEBCAST: How to Find Critical Patch Updates for Oracle Fusion Middleware Products (Jan 16, 2020)
Security Vulnerability Policies
-- For more information on handling vulnerabilities, refer to <Note 1074055.1>, Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
The above document has information on vulnerability communication, how to look up and find information about a CVE, and references to security best practices. Security best practices which are recommended configurations, something not available as a patch. Also known as "Lock Down" or "Hardening" advice. If security scans are run, they are often recommending the same configuration steps. See the references in the above FAQ for Security Best Practices.
- See Instructions for subscribing to email notifications of Critical Patch Update Advisories and Security Alerts.
Introduction to Maintaining Oracle Fusion Middleware
As a matter of best practice, regular maintenance should include the following:
- Apply the latest available Patch Set for your installation.
- Apply any Bundle Patch for your primarily used products.
- Apply Critical Patch Update recommendations to all products and underlying components within your environment.
Note: A Critical Patch Update includes a Patch Set Update(PSU) (for DB and WLS) and Security Patch Updates(SPU), but may also include Bundle Patches(BP). The primary objective of the CPU program is to deliver security fixes for Oracle products. If a security fix is in a Bundle, then the Bundle will be listed to be applied. April 2021 introduced a new patch type for WebLogic called Stack Patch Bundle(SPB). For more information see, Introducing the Stack Patch Bundle (SPB) with SPBAT Utility for Oracle WebLogic Server <Note 2764636.1>.
- It is recommended to follow a regular maintenance schedule (upgrade to Patch Set releases) for both security and support policies outlined in <Note 944866.1>, Error Correction Support Dates for Fusion Middleware.
- For the latest release information, refer to <Note 1370970.1>, Oracle Fusion Middleware Release Announcements and Other Important Documentation Links.
- For Bundle Patch reference, review <Note 1494151.1>, Primary Note on Fusion Middleware Proactive Patching - Patch Set Updates (PSUs) and Bundle Patches (BPs).
- If confused about types of patches, see <Note 1430923.1>, Patch Nomenclature for Oracle Products.
Once you are on your desired Patch Set release and Bundle Patch for your products, you can then seek out Critical Patch Updates. A PSU is released with the CPU program. BPs are not mandatory before a CPU, but if a security fix is included in a BP, then that BP will become a minimum requirement within the CPU documentation. If you see an older BP in the CPU documentation, note that the latest BP will always be cumulative, the newest just may not have a security fix included.
How to Find the Latest Fusion Middleware Patches
Step 1: What is Installed in the Middleware Home or Oracle home?
- For 11g or more information on how to identify the components in a Middleware Home or Oracle home, see <Note 1591483.1>, What is Installed in My Middleware or Oracle home?
Before trying to find the correct Critical Patch Update Patches for your Oracle Fusion Middleware environment(s), you need to know what patches are already applied and what Distributions are installed within the Oracle Home.
a. To ensure you have prerequisites, what patches are applied, and the OPatch version run the command:
b. For 12.2.1.x, use the following to obtain a list of all Distributions, Feature Sets, and Components installed.
ORACLE_HOME/oui/bin/viewInventory.sh (.cmd for Windows)
By piping the output to grep(Linux/Unix) or findstr(Windows), you can obtain only the Distributions. An example out is below:
$ORACLE_HOME/oui/bin/viewInventory.sh |grep Distribution
Distribution: WebLogic Server for FMW 22.214.171.124.0
Distribution: Oracle Forms Reports 126.96.36.199.0
%ORACLE_HOME%\oui\bin\viewInventory.cmd |findstr Distribution
Distribution: WebLogic Server for FMW 188.8.131.52.0
Distribution: Oracle Forms Reports 184.108.40.206.0
The results conclude this Oracle Home has WebLogic Server for FMW (also known as Oracle Fusion Middleware Infrastructure) and Oracle Forms Reports Distributions installed. These distributions will be used to find applicable patches in the next steps.
Step 2: How to Find the Latest Critical Patch Update for Oracle Fusion Middleware Products
a. To obtain Critical Patch Updates, Oracle recommends the following as a starting point:
Critical Patch Updates (CPU) and Security Alerts
[ https://www.oracle.com/technetwork/topics/security/alerts-086861.html ]
b. Click the latest Critical Patch Update - <Month Year> link to access the current advisory from the Critical Patch Updates section.
c. Click the appropriate Patch Availability Document for the corresponding Affected Products and Versions to be patched. For this document, that would be any Fusion Middware Patch Availability Document link.
One should end up on a document with a title like, 'Critical Patch Update (CPU) Program <Month Year> Patch Availability Document (PAD).'
-Critical Patch Update Advisories document the Common Vulnerabilities and Exposures (CVE) fixed within a specific CPU release and provide Patch Availability Documents.
-Patch Availability Documents provide the cumulative patches for each product within error correction support.
-See the Oracle Fusion Middleware Risk Matrix on the Critical Patch Update Advisory for Risk definitions.
Step 3: Navigating the Patch Availability Document to Find Product Patches
a. It is important to familiarize oneself with the document layout by reviewing the Overview, section 1.
b. Using the Distribution(s) installed, which were found in Step 1 Part b (above), navigate to the product table(s) in the subsections of section 3 Patch Availability for Oracle Products to find applicable patches. If multiple Distributions are installed, refer to each corresponding product distribution's table. If two Distributions are installed that means there will be two tables. Three Distributions means three tables and so on. This does not including OPatch Distributions which will be upgraded, as needed, for the Oracle Home as a whole. From the example above, one should be using the product tables for Oracle Forms and Reports 220.127.116.11 and Oracle Fusion Middleware Infrastructure 18.104.22.168.
c. When reviewing the product's Patch Availability table, read the table row-by-row top-to-bottom. A product table's rows consist of entries for patches and/or documents which are recommended as part of the CPU advisory. All rows are applicable.
d. Apply the patches as per the patch's readme. Take note of any supplemental documents called out in the readme and/or Comments column in the table. If a document is listed for the row as opposed to a patch, see the document for direction. There are times where configuration changes are needed which cannot be made via patches.
- Ensure to read the top section of the Patch Availability Document at least once, especially the "How to Use This Document" section.
- Then, refer to the sections for the products you have installed, reading the table for each supported product and version.
- One should be updating the JDK and JRE installations (which are on all environments) using the separately provided Java SE Patch Availability Document. For justification, see : <Note 360870.1>, Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products.
- New patches released in the current cycle will be noted with CVE numbers fixed, aligned with the Critical Patch Update Advisory. See the Advisory Number column of the product's Patch Availability table. Going forward, new patches are easy to identify as they list a new CVE(CVEs) versus prior advisory dates.
- Take note to review any Comments or Post Patching Requirements as patches do not update your configuration.
- When using OPatch, the -report flag can be used to test the patch and check its applicability.
Critical Patch Updates for Expired 10g Releases
Oracle Application Server 10g Release 2 (10.1.2), Release 3 (10.1.3), and Oracle Identity Management 10g (10.1.4) are now expired. You can apply the final CPU patches released.
- For 10.1.3, you should apply the 10.1.3.5 Patch Set and update OPatch to 22.214.171.124.64 using:
<Note 397022.1> Oracle Application Server 10g Release 3 (10.1.3) Support Status and Alerts
Then apply the CPU patches from the "126.96.36.199 Oracle Fusion Middleware 10.1.3.5.x" section within:
<Note 2228898.1> Patch Set Update and Critical Patch Update April 2017 Availability Document
- For 10.1.2 and 10.1.4, the following document can be used to apply the last available patches in a step-by-step format:
<Note 405972.1> Oracle Application Server 10g Examples for Critical Patch Updates
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Security Vulnerability Policies|
|Introduction to Maintaining Oracle Fusion Middleware|
|How to Find the Latest Fusion Middleware Patches|
|Step 1: What is Installed in the Middleware Home or Oracle home?|
|Step 2: How to Find the Latest Critical Patch Update for Oracle Fusion Middleware Products|
|Step 3: Navigating the Patch Availability Document to Find Product Patches|
|Critical Patch Updates for Expired 10g Releases|