Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU and Update" (OJVM PSU and OJVM Update) Patches
(Doc ID 1929745.1)
Last updated on MARCH 04, 2023
Applies to:
Oracle Database Cloud Exadata Service - Version N/A and later Oracle Database Cloud Service - Version N/A and later Oracle Database - Personal Edition - Version 9.2.0.8 and later Oracle Platinum Services - Version N/A to N/A Oracle Database Exadata Express Cloud Service - Version N/A and later Information in this document applies to any platform.
Mitigation steps that can be used to protect against Oracle JavaVM vulnerabilities in any database version from 9.2.0.8 onwards .
Actions
Why should I install the patch if I do not use Oracle JavaVM ?
Databases include the Oracle JavaVM by default and so may be exposed to security vulnerabilities that are addressed by the latest patch.
Can I just uninstall Oracle JavaVM instead ?
The Oracle JavaVM is used by several database options and features and so should not be removed. For example, Oracle JavaVM is used by XDK, CDC, Spatial, InterMedia etc..
Do I need to take any action if my database was created in a non-standard manner and does not have Oracle JavaVM installed ?
If the database has been created without JavaVM then OJVM PSU is not applicable to that database. However, be aware that if a new database is created with JavaVM in an unpatched ORACLE_HOME that new database will not be protected. The preferred option is to install OJVM PSU but omit the OJVM PSU post install steps for the specific database/s that do not have JavaVM. If you do run the OJVM PSU post install steps PLS-201 errors will be reported - these errors can be safely ignored.
Can I use any OJVM PSU patch with any DB PSU patch ?
The database must be patched to at least October 2014 DB PSU (or equivalent SPU or Database Patch for Exadata) before an OJVM PSU patch can be applied.
On Windows platforms OJVM PSU patches have additional dependencies - see OJVM PSU information in <Document:161549.1>
Which database versions are OJVM PSU patches available for ?
OJVM PSU patches are released as part of the Critical Patch Update program and are only available for database versions covered by error correction support. As of January 2018 patches have been released for the following database versions:
11.1.0.7
11.2.0.3
11.2.0.4
12.1.0.1
12.1.0.2
12.2.0.1
Latest patch numbers and availability can be found in <Document:756671.1> "Primary Note for Database Proactive Patch Program", or by following links in the latest Critical Patch Update under <Document:467881.1>.
On Windows platforms the latest bundle reports conflicts with a previously installed OJVM patch
It is normal and expected for the latest bundle to report conflicts with a previously installed OJVM patch. Each Windows bundle patch has a corresponding OJVM patch. The standard procedure to apply bundle and OJVM patch in windows environment is:
Rollback the old OJVM patch
Apply the latest bundle patch
Apply the latest OJVM patch
Do I need to patch database client installs with OJVM PSU ?
The OJVM PSU patch is not applicable for client installs
The JDBC Patch is applicable to client installs
Do I need to patch Java clients ?
For Java clients see the latest Critical Patch Update availability information for "Oracle Java SE"
eg: For October 2014 Java SE patch availability information see <Document:1931846.1>
Java clients using JDBC should also be patched with the JDBC Patch. If the ojdbc*jar files used by the client were originally copied from an ORACLE_HOME install then it is advisable to update those ojdbc*jar files after the JDBC Patch has been applied.
Do I need to remove the mitigation patch when I install the OJVM PSU patch ?
You do not need to rollback the mitigation patch, but you must execute "dbms_java_dev.enable" before applying the OJVM PSU patch.
With the mitigation patch left in place you can still use "dbms_java_dev.disable" if required.
Why does this document mention using STARTUP UPGRADE for OJVM PSU post install steps when the README does not?
ORA-7445 errors may be reported if anything in the database tries to use the JavaVM after OJVM PSU has been applied but before OJVM PSU post install steps have executed. This can affect databases using Change Data Capture (CDC), or databases with job/s that use JavaVM directly or indirectly etc.. This document suggests to use STARTUP UPGRADE for the OJVM PSU post install steps as that mode disables system triggers and jobs and so reduces the chance of something trying to use the JavaVM before the post install steps have completed. It is not mandatory to use UPGRADE mode, and in many cases it is not required. If you do hit ORA-7445 errors on a normal (or restricted) startup after applying OJVM PSU then using UPGRADE mode just for the OJVM PSU post install steps should allow you to proceed.
From April 2015 onwards OJVM PSU README now indicates to use STARTUP UPGRADE
In RAC environments the cluster_database parameter should be set to FALSE in order to STARTUP UPGRADE
Is there a problem if I ran DB PSU post install steps before OJVM PSU steps ?
It is valid to run DB PSU post install steps before OJVM PSU steps but this will result in additional invalidations / recompilations and may extend the period of time taken to complete the steps. Be sure to check the post install logs just in case there was some unexpected error.
How often are OJVM PSU patches released ?
Patches will be released as required at the same time as other Critical Patch Update patches.
Will future OJVM PSU be RAC Rolling installable ?
Technically, no. There are potential alternatives that were discussed above, and that are detailed in MOS <NOTE 2217053.1>, RAC Rolling Install Process for the "Oracle JavaVM Component Database PSU/RU"
Does OJVM PSU include non security fixes ?
OJVM PSU may include some high impact non-security OJVM fixes
How can I tell if the mitigation patch is installed and enabled ?
The mitigation patch creates a view called "JAVA_DEV_STATUS"
If the view is missing the mitigation patch is not installed
If view is present then selecting from the view should return a single row with column JAVA_DEV_ENABLED showing YES or NO to indicate if Java development is currently enabled (YES) or disabled (NO).
Why are there 2 entries for "jvmpsu.sql" in DBA_REGISTRY_HISTORY after applying DB PSU (or equivalent) and OJVM PSU ?
Depending on the exact patching order used DB PSU post install steps may also run the jvmpsu.sql script - this is normal and expected.
You should always run complete post install steps as documented regardless of content of DBA_REGISTRY_HISTORY.
Why do I get ORA-942 errors from DBMS_JAVA_DEV ?
This can occur if the database does not have a valid JavaVM installed. eg:
ORA-00942: table or view does not exist ORA-06512: at "SYS.DBMS_JAVA_DEV", line 54 ORA-06512: at line 1
If you get such errors then check if the database has JavaVM installed (see earlier) - if not then no post install steps are required and the error can be ignored.
Do I need to run post install scripts for OJVM PSU after installing JVM manually inside the Database ?
Yes. If OJVM PSU is applied when there is no JVM inside the database, after installing JVM, run the post installation scripts for OJVM PSU.
Why is the prior OJVM PSU not rolled back when a later release is installed? And why is an older OJVM PSU reapplied when a later release is rolled back?
Beginning in OPatch 12.2.0.1.5 and 11.2.0.3.14 there is a behavior change in the way superset patches address subset. Additionally, in OPatch 12.2.0.1.5 OVM has been removed. Please see the note for additional information:Note: 2161861.1 OPatch: Behavior Changes starting in OPatch 12.2.0.1.5 and 11.2.0.3.14 releases
Can I apply the the OJVM PSU patch before running DBUA?
Yes. DBUA will perform the Post Install steps for the OJVM PSU after the upgrade completes
Additional Notes
OJVM PSU information available BEFORE 30/Oct/2014 contained incorrect information about patching requirements. See <Document:1938931.1> if you used OJVM PSU information from before 30/Oct/2014.
Modification History
Date
Modification
19 October 2017
Correct reported link problems
07 November 2017
Add references to Patch 23727148
15 November 2017
Recommend that OJVM and DB patch quarters (versions) match
27 November 2017
Added statement that 12.2 does not need the JDBC fixes. Added 12.2 to 'Patches Applicable' table
12 January 2018
Update link to the "Oracle Database Server Risk Matrix" information. Updated title of and references to Note 756671.1
26 January 2018
added warning about potential ORA-20031 during rollback
31 January 2018
Changed all RU to 'Update', all RUR to 'Revision'
08 February 2018
Changed patch number 23727148 to 23727132 in the 11.2.0.4 section of table "Which Patches are Applicable to which Homes ?"
04 May 2018
updated "October 2014 JDBC patch" to "July 2016 JDBC patch"
07 February 2019
Included references to new DOC ID 2217053.1 for OJVM rolling patch mode
16 August 2021
Included 21c, where the OJVM patch is included within the Database Release Update (RU) patch
Contacts
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
