X

Proactive insights, news and tips from Oracle Fusion Middleware Support. Learn Oracle from Oracle.

Oracle Weblogic Server Critical Patch Update

Puneeth Prakash
Principal Software Engineer

NOTE : 

Information in this blog is extracted as-is from the "Critical Patch Updates, Security Alerts and Bulletins Security Alerts" Oracle document, PSU ReadMe document, and other KM Articles referred in it :

Link: Critical Patch Updates, Security Alerts and Bulletins

This blog has PSU information specific to standalone WebLogic installation.

It is divided into the following sections:

Information related to WLS PSU in General :

  1. How often are PSU patches released by Oracle?

  2. Understanding the naming conversion of WLS PSU

  3. What is the difference between PSU / Samples SPU / ADR patches?

  4. Should I apply the WLS samples SPU patch in my environment? How to check if WLS samples are installed?

  5. Should I apply the ADR patch? How to check if ADR is installed in my environment?

  6. Error Correction dates

Additional Info :

  1. Map CVEs to the Critical Patch Update Advisory or Security Alert that addresses them.

  2. Instructions for subscribing to email notifications of Critical Patch Update Advisories and Security Alerts

  3. Critical Patch Update and Security Alert Programs Frequently Asked Questions

Other Known Issues :

  1. Note 2259579.1 Native Windows Zip/Unzip Tools Fail To Extract Contents From Oracle Patch Zip Files
  2. Note 2429512.1 During Install PSU on WebLogic Get Windows Error "File or Path Name is too long"
  3. Note 1186923.1 Diagnosing "Encountered unrecognized patch ID" Failures When Trying to Patch WLS Using BSU

-------------

Information related to WLS PSU in General :

1. How often are PSU patches released by Oracle?

Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 January 2021
20 April 2021
20 July 2021
19 October 2021

Reference: 

Critical Patch Updates, Security Alerts and Bulletins

2. Understanding the naming conversion of WLS PSU

Understanding WebLogic Server Patch Set Update (PSU) Release Versions (Doc ID 2565576.1)    

3. What is the difference between ADR / Samples SPU / PSU patches?

ADR :

Automatic Diagnostic Repository (ADR) is part of the Oracle Fusion Middleware Diagnostic Framework.

The Oracle Fusion Middleware Diagnostic Framework helps you to collect and manage information about a problem so that you can resolve it or send it to Oracle Support for resolution.

Reference: 

Oracle Fusion Middleware Diagnostic Framework

SPU :

Security Patch Update. An iterative, cumulative patch consisting of security fixes.

WebLogic Samples SPU patch can not be applied when samples are not installed into the Oracle home.

Reference: 

Sample Applications and Code Examples

Note: Do not configure the WebLogic Server sample applications on a production machine. 

Reference: 

Ensuring the Security of Your Production Environment

PSU :

Oracle provides PSUs (Patch Set Updates) released with the Critical Patch Update program. You only need to apply the latest, as they are cumulative.

Always refer to the latest cumulative Fusion Middleware Patch Availability Document from the latest Security Advisory to obtain the initial announcement of PSUs and other steps to secure the environment:

Reference:

Critical Patch Updates, Security Alerts and Bulletins
 

Overview of PSUs
A PSU is a proactive patch with the following characteristics:

  • Cumulative
  • Quarterly schedule
  • Highly controlled and selected content
  • Includes CPU (Critical Patch Update) security fixes
  • Includes NO enhancements
  • Tested for both regressions and functional correctness

Follows the error correction policy of the Patch Set that the PSU is based on
PSUs are cumulative: the 10.3.6.0.2 PSU will include the fixes from the 10.3.6.0.1 PSU, and so on. PSUs are on the same quarterly schedule as the Critical Patch Updates (CPUs), specifically the Tuesday closest to the 17th of January, April, July, and October.

PSUs offer the following features and benefits:

  • Low-Risk, High-Value Content
  • One Integrated, Well Tested Patch
  • Baseline Version for Easier Tracking

Reference:

Patch Set Update (PSU) Administration Guide for Oracle WebLogic Server (WLS) (Doc ID 1306505.1)

4. Should I apply the WLS samples SPU patch in my environment? How to check if WLS samples are installed?

How to check if WLS samples are installed :

1. Run viewInventory.sh | cmd.
2. If Samples are installed you should see below FeatureSet in ViewInventory output:

FeatureSet: wls_examples 12.X.X
Component: oracle.wls.server.examples 12.X.X

WebLogic Samples SPU can not be applied when samples are not installed into the Oracle home.

The following messages are output when WLS Samples SPU is being applied by OPatch tool.

$ ../../OPatch/opatch apply
Oracle Interim Patch Installer version 13.9.X.X.X
Copyright (c) 2018, Oracle Corporation. All rights reserved.
Oracle Home : <MW_HOME/ORACLE_HOME>
Central Inventory : <DIR>/oraInventory
from : <MW_HOME/ORACLE_HOME>/oraInst.loc
OPatch version : 13.9.X.X.X
OUI version : 13.9.X.X.X
Log file location : <MW_HOME/ORACLE_HOME>/cfgtoollogs/opatch/opatch2020-XX-XX_XX-XX-XXAM_1.log
OPatch detects the Middleware Home as "<MW_HOME/ORACLE_HOME>"

Verifying environment and performing prerequisite checks...
Skip patch <Patch NO> from list of patches to apply: This patch is not needed.

After skipping patches with missing components, there are no patches to apply.
OPatch Session completed with warnings.
Log file location: <MW_HOME/ORACLE_HOME>/cfgtoollogs/opatch/opatch2020-XX-XX_XX-XX-XXAM_1.log

OPatch completed with warnings.
This message can be ignored. This is coming because there is no jars available for the patch to fix because those were not installed/available.

5. Should I apply the ADR patch? How to check if ADR is installed in my environment?

Automatic Diagnostic Repository (ADR) is part of the Oracle Fusion Middleware Diagnostic Framework.

You may verify the existence of the ADR component within your FMW/WLS installation in these ways:

  • Look for the presence of an ADR directory under the Oracle Home at <MW_HOME | ORACLE_HOME>/oracle_common/adr/adrci
    - If the ADR directory is present, your installation contains the ADR feature.
     
  • Use the ORACLE_HOME/oui/bin/viewInventory.sh script (viewInventory.cmd on Windows) to obtain a list of all Distributions, Feature Sets, and Components.
    - If the "oracle.adr" is listed, you have ADR component installed.
    - For example, within the output:

    FeatureSet: adr_platforms 12.1.2.0.0
    Component: oracle.adr 12.1.2.0.0

The ADR component is part of the Oracle Fusion Middleware Diagnostic Framework and is no longer required with WebLogic Server when installed alone (without Fusion Middleware products) or when features of ADR are not desired.

Reference: 

What is the Automatic Diagnostic Repository (ADR)? When Does ADR Need to be Updated? (Doc ID 2703429.1)    

Introducing New Lite, Slim and Quick Installers for Oracle WebLogic Server - Without the ADR Component (Doc ID 2703355.1)    

6. Error Correction dates

Link: Error Correction information for Oracle WebLogic Server Patch Set Update

Reference : 

Critical Patch Update (CPU) Program Oct 2020 Patch Availability Document (PAD) (Doc ID 2694898.1)    

Error Correction Support Dates for Oracle WebLogic Server (Doc ID 950131.1)    

Please share your suggestions/feedback in the comments section of this blog.

Thank You!

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.