This document discusses Oracle database security updates and patching. It begins by addressing common questions and concerns about patching, such as whether patching is needed if behind a firewall, how often to apply proactive bugfixes, and potential issues like downtime and breakage. It then covers the different types of proactive patches, how to apply them to reduce downtime, and resources for further information. The conclusion emphasizes the importance of reading the patch README for installation instructions and details.

1. Juris Trošins
juris.trosins@dbacc.lv
www.dbacc.lv
Answers To The Questions You Probably
Were Afraid To Ask About Oracle Database
Security Updates

2. What We Do
• DBA Outsourcing
• Remote Consulting
• Oracle Training
• Oracle Software
• Oracle Hardware

3. Portfolio

4. About me
• More than third of my life with Oracle tech
• OCE, OCP, OCM
• Co-founder of DBA Competence Center Ltd.
• Trainer at Oracle University
• Speaker at LVOUG, UKOUG, Harmony and
other technology seminars

5. Sort of Agenda
• Few existential questions
• Some motivational stuff
• Bits of technical information

7. ???
• My databases are behind
firewall, do I need security
patches?
• Should I apply proactive
bugfixes?
• How often?
• Do I need downtime? How
long?
• What if I break something?
• There are so many
recommended patches!
Which one is right for me?
• If it works, do not fix it!
• Patching implies
downtime
• Patch will break my DB,
execution plans,
everything
• Patch will introduce new
errors or new features
• I need to test patch
• Patching is extra work!

8. To patch… or not to patch?

9. Yeah, fine! Let’s skip that patch!

10. CVE
• Industry standard – Common Vulnerabilities
and Exposures
• CVSS Base Score

12. Patch is Like a Vaccine
• If you skip common sence, here are another
reasons to apply patches:
– Security standard recommendations (PCI/DSS,
Oracle Support Compliance, internal rules, etc.)
– Oracle Support will «blame» you when you hit
«that bug» while being unpatched
– Finally it justifies your position as a DBA in a world
of «self managing databases» 
– Proactive patches are already tested and
evaluated by Oracle development

13. Where to start?

16. Types of Proactive Patches

17. What’s New?
• Critical Security patches (CPU/SPU, pre-12c)
contain only security fixes
• PSU/RU/RUR contain security fixes plus
bugfixes
• RU (Update) vs RUR (Revision) – 12.2+
– Release Updates are like PSUs
– Revisions contain previous RU plus additional fixes

18. How To Apply
• Read the README!!!
• OPatch utility – Patch: 6880880 (get the latest
one for your version)
• BP, Combo or System patch –
# opatchauto
• RU, RUR, CPU/SPU/PSU –
$ opatch apply

19. How to Reduce Downtime
• RAC rolling installable
• DG Standby First installable
• Online (hot) patching
• Fiddeling with software provisioning

20. • Rolling Patch - OPatch Support for RAC (Doc ID
244241.1
• Oracle Patch Assurance - Data Guard Standby-
First Patch Apply (Doc ID 1265700.1)
• How To Setup a Rapid Home Provisioning
(RHP) Server and Client (Doc ID 2097026.1)
• Minimal downtime patching via cloning 12c
ORACLE_HOME directories with OPlan (Doc ID
2087150.1)

21. What about OJVM Patch?
• It is recommended, and «almost» mandatory
• Yes, even if you do not use JVM in your
database!
• Not RAC Rolling (?) nor DG Standby-First
installable, hence implies outage
• Depending on your JVM usage downtime can
be mitigated:
– Mitigation Patch, or
– Perform postinstall with «open normal» database

23. • Oracle Recommended Patches -- "Oracle
JavaVM Component Database PSU and
Update" (OJVM PSU and OJVM Update)
Patches (Doc ID 1929745.1)
• RAC Rolling Install Process for the "Oracle
JavaVM Component Database PSU/RU" (OJVM
PSU/RU) Patches (Doc ID 2217053.1)

24. «Installed but Disabled» Mode
• No fixes that change execution plan were
included in PSUs… until…
• Fixes to the execution plan are included
starting with 12.1.0.2 Apr18 DB BP
• Such fixes will be DISABLED by default
• New Feature: Automatic Fix Control
Persistance
• New DBMS_OPTIM_BUNDLE package

25. Further Reading
• README of individual patch!
• Oracle Patch advisory
https://www.oracle.com/technetwork/topics/security/
alerts-086861.html
• OPatch User's Guide and Opatch FAQ (Doc ID
1486109.1)
• Release Update Introduction and FAQ (Doc ID
2285040.1)
• Automatic Fix Control Persistence (FCP) for Database
Proactive Bundle Patch (Doc ID 2147007.1) (12.2+)
• Patch Set Updates for Oracle Products (Doc ID
854428.1) (up to 12.1)

26. Conclusion
• Read the README!
If you did not read the README, read that
README!!!

27. Q/A
@juristrosins
juris.trosins@dbacc.lv
(+371) 29 427247
www.dbacc.lv