My Oracle Support Banner

How to Prepare for and Find the Correct Critical Patch Update Patches for Oracle Fusion Middleware Products (Doc ID 551453.1)

Last updated on AUGUST 17, 2021

Applies to:

Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle WebLogic Server - Version 10.3.6 and later
Information in this document applies to any platform.

Details

Oracle currently delivers the latest Critical Patch Updates (CPU) on a quarterly basis: January, April, July, and October of each year. Oracle highly recommends incorporating an upgrade plan to ensure you are on supported versions and apply supplied patches and recommended configurations to secure your environment. These may come as a Patch Set Update (PSU), a Bundle Patch (BP), or Security Patch Update (SPU).

This document provides assistance on learning about the Critical Patch Update program and finding the correct patches for Oracle Fusion Middleware products.

Actions

WATCH THE ADVISOR WEBCAST: How to Find Critical Patch Updates for Oracle Fusion Middleware Products (Jan 16, 2020)

Security Vulnerability Policies

-- For more information on handling vulnerabilities, refer to <Note 1074055.1>, Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products

The above document has information on vulnerability communication, how to look up and find information about a CVE, and references to security best practices. Security best practices which are recommended configurations, something not available as a patch. Also known as "Lock Down" or "Hardening" advice. If security scans are run, they are often recommending the same configuration steps. See the references in the above FAQ for Security Best Practices.

 

Introduction to Maintaining Oracle Fusion Middleware 

As a matter of best practice, regular maintenance should include the following:

  1. Apply the latest available Patch Set for your installation.
  2. Apply any Bundle Patch for your primarily used products.
  3. Apply Critical Patch Update recommendations to all products and underlying components within your environment.

    Note: A Critical Patch Update includes a Patch Set Update(PSU) (for DB and WLS) and Security Patch Updates(SPU), but may also include Bundle Patches(BP). The primary objective of the CPU program is to deliver security fixes for Oracle products. If a security fix is in a Bundle, then the Bundle will be listed to be applied. April 2021 introduced a new patch type for WebLogic called Stack Patch Bundle(SPB). For more information see, Introducing the Stack Patch Bundle (SPB) with SPBAT Utility for Oracle WebLogic Server <Note 2764636.1>. 

Once you are on your desired Patch Set release and Bundle Patch for your products, you can then seek out Critical Patch Updates. A PSU is released with the CPU program. BPs are not mandatory before a CPU, but if a security fix is included in a BP, then that BP will become a minimum requirement within the CPU documentation. If you see an older BP in the CPU documentation, note that the latest BP will always be cumulative, the newest just may not have a security fix included.


How to Find the Latest Fusion Middleware Patches

Step 1: What is Installed in the Middleware Home or Oracle home?

- For 11g or more information on how to identify the components in a Middleware Home or Oracle home, see <Note 1591483.1>, What is Installed in My Middleware or Oracle home?

Before trying to find the correct Critical Patch Update Patches for your Oracle Fusion Middleware environment(s), you need to know what patches are already applied and what Distributions are installed within the Oracle Home.

a. To ensure you have prerequisites, what patches are applied, and the OPatch version run the command:

ORACLE_HOME/OPatch/opatch lsinventory

b. For 12.2.1.x, use the following to obtain a list of all Distributions, Feature Sets, and Components installed.

ORACLE_HOME/oui/bin/viewInventory.sh (.cmd for Windows)

Example:
By piping the output to grep(Linux/Unix) or findstr(Windows), you can obtain only the Distributions. An example out is below:

Linux/Unix
$ORACLE_HOME/oui/bin/viewInventory.sh |grep Distribution
Distribution: WebLogic Server for FMW 12.2.1.3.0
Distribution: Oracle Forms Reports 12.2.1.3.0
...

Windows
%ORACLE_HOME%\oui\bin\viewInventory.cmd |findstr Distribution
Distribution: WebLogic Server for FMW 12.2.1.3.0
Distribution: Oracle Forms Reports 12.2.1.3.0
...

The results conclude this Oracle Home has WebLogic Server for FMW (also known as Oracle Fusion Middleware Infrastructure) and Oracle Forms Reports Distributions installed. These distributions will be used to find applicable patches in the next steps.

 

Step 2: How to Find the Latest Critical Patch Update for Oracle Fusion Middleware Products

a. To obtain Critical Patch Updates, Oracle recommends the following as a starting point:

Critical Patch Updates (CPU) and Security Alerts
[ https://www.oracle.com/technetwork/topics/security/alerts-086861.html ]

b. Click the latest Critical Patch Update - <Month Year> link to access the current advisory from the Critical Patch Updates section.

c. Click the appropriate Patch Availability Document for the corresponding Affected Products and Versions to be patched. For this document, that would be any Fusion Middware Patch Availability Document link.
One should end up on a document with a title like, 'Critical Patch Update (CPU) Program <Month Year> Patch Availability Document (PAD).'

Tips:
-Critical Patch Update Advisories
document the Common Vulnerabilities and Exposures (CVE) fixed within a specific CPU release and provide Patch Availability Documents.
-Patch Availability Documents provide the cumulative patches for each product within error correction support.
-See the Oracle Fusion Middleware Risk Matrix on the Critical Patch Update Advisory for Risk definitions.

 

Step 3: Navigating the Patch Availability Document to Find Product Patches

a. It is important to familiarize oneself with the document layout by reviewing the Overview, section 1.

b. Using the Distribution(s) installed, which were found in Step 1 Part b (above), navigate to the product table(s) in the subsections of section 3 Patch Availability for Oracle Products to find applicable patches. If multiple Distributions are installed, refer to each corresponding product distribution's table. If two Distributions are installed that means there will be two tables. Three Distributions means three tables and so on. This does not including OPatch Distributions which will be upgraded, as needed, for the Oracle Home as a whole. From the example above, one should be using the product tables for Oracle Forms and Reports 12.2.1.3 and Oracle Fusion Middleware Infrastructure 12.2.1.3.

c. When reviewing the product's Patch Availability table, read the table row-by-row top-to-bottom. A product table's rows consist of entries for patches and/or documents which are recommended as part of the CPU advisory. All rows are applicable.

d. Apply the patches as per the patch's readme. Take note of any supplemental documents called out in the readme and/or Comments column in the table. If a document is listed for the row as opposed to a patch, see the document for direction. There are times where configuration changes are needed which cannot be made via patches.

Note: Since you must be very careful to apply all patches when it comes to security, you may inadvertently download patches provided and attempt to apply them. If there are no fixes applicable for the Oracle Home, OPatch will show it is skipping that component reporting: "Skip patch <NUMBER> from list of patches to apply: This patch is not needed" meaning the patch is not applicable. Still, ensure the ORACLE_HOME is set correctly.

  
Tips:
- Ensure to read the top section of the Patch Availability Document at least once, especially the "How to Use This Document" section.
- Then, refer to the sections for the products you have installed, reading the table for each supported product and version.
- One should be updating the JDK and JRE installations (which are on all environments) using the separately provided Java SE Patch Availability Document. For justification, see : <Note 360870.1>, Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products.
- New patches released in the current cycle will be noted with CVE numbers fixed, aligned with the Critical Patch Update Advisory. See the Advisory Number column of the product's Patch Availability table.  Going forward, new patches are easy to identify as they list a new CVE(CVEs) versus prior advisory dates.
- Take note to review any Comments or Post Patching Requirements as patches do not update your configuration.
- When using OPatch, the -report flag can be used to test the patch and check its applicability.

 

Critical Patch Updates for Expired 10g Releases

Oracle Application Server 10g Release 2 (10.1.2), Release 3 (10.1.3), and Oracle Identity Management 10g (10.1.4) are now expired. You can apply the final CPU patches released.

 

Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Details
Actions
 Security Vulnerability Policies
 Introduction to Maintaining Oracle Fusion Middleware 
 How to Find the Latest Fusion Middleware Patches
 Step 1: What is Installed in the Middleware Home or Oracle home?
 Step 2: How to Find the Latest Critical Patch Update for Oracle Fusion Middleware Products
 Step 3: Navigating the Patch Availability Document to Find Product Patches
 Critical Patch Updates for Expired 10g Releases
Contacts
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.