Oracle Security Patch Updates (SPU) and Security Alerts

Oracle has an extensive portfolio of software products and, like all software, Oracle’s product line contains vulnerabilities from time to time. Patches are regularly released to fix these.

For the RDBMS Server (database) Software, there are two types of Patches:

Reactive Patches:

• Are usually delivered as “Interim Patches”
• Were historically known as “one-off” patches
• Are provided on demand for a given “defect, version, platform” combination
• Go through basic sanity tests
• Fixes will usually be included in the next relevant Patch Set Release
• Each Patch Set has a “code freeze” date beyond which only “show-stopper” fixes are included.
• If a fix misses the next Patch Set it will be included in the subsequent Patch Set (if there is one)

Proactive Patches:

• address high impact bugs that affect a given configuration
• contain proven low risk fixes
• go through extra levels of testing, determined by the feature(s) affected
• are available on “My Oracle Support” by clicking on the “Patches & Updates” tab

In early 2018, Oracle introduced a new numbering system. In contrast to the “old” numbering system such as 12.2.0.2 (version 12, Major Release 2, patch update 1), all patch levels after version 12.2.0.1 will be structured as follows: Year.Update.Revision. So patch set 12.2.0.2 will become 18.1.0.

Proactive Patches (RU / RUR / SPU / PSU / Bundle Patches / ODA Bundle Patches)

The different proactive patch methodologies can be visualized as follows:

Oracle releases several types of patches for Database and Grid-Infrastructure installations, namely:

• Quarterly Release Updates (RUs) and Quarterly Release Update Revisions (RURs) – Applies to Database 18.1.0 and later
• Quarterly Patch Set Updates (PSUs) and Quarterly Proactive Bundle Patches (BPs) – Applies to Database 12.1.0.2 and prior
• One-off Patches – Applies to all Database versions

As of database version 12.2.0, RUs will replace Bundle Patches and RURs will replace PSUs. For more information on RUs and RURs, see MOS Docid: Release Update Introduction and FAQ (Doc ID 2285040.1).

• RUs are proactive, highly tested bundles of critical fixes which enable customers to avoid known issues. They are specific to a particular annual release.
• RURs contain security and regression fixes to a RU that extend the RU’s lifetime up to two quarters. They are specific to a particular RU.
• The legacy terms ‘Patchset’, ‘Patchset Update’, and ‘Database Bundle Patch’ will no longer be meaningful for 12.2 database software.

Oracle uses the following terminology with regard to the proactive patches:

RURs | Patch Set Updates (PSU):

(English)

• A cumulative collection of fixes for proven high impact bugs encountered in the field
• Includes the security fixes that are released as part of the CPU program
• Guaranteed not to contain any changes to the optimizer or fixes which change application behavior
• May span multiple stack components
  For example: “Database Grid Infrastructure PSU” (GI PSU) includes fixes for both the Grid Infrastructure and the Database
• Delivered on predefined quarterly schedule
• Database PSU and Database Grid Infrastructure PSU are always RAC Rolling and Standby First installable.
• OJVM PSU is neither RAC Rolling nor Standby First installable

These are cumulative patches in which all previous SPU patches have been merged with some other important fixes. These patches result in a minor version change, for example 11.2.0.1.1 to 11.2.0.1.2.

Security Patch Update (SPU):

(English)

• A cumulative collection of security fixes released as part of Oracle’s Critical Patch Update (CPU) program
• Delivered on predefined quarterly schedule
• Database SPU are always RAC Rolling and Standby First installable
• Note: Database SPUs are being phased out from Database Release 12c – CPU program security content will be delivered in the appropriate Bundle Patch or PSU (see below).

SPU patches are released quarterly and only contain security fixes. These SPU patches are only available for Linux based operating systems; for Windows the so-called Bundle Patches (see below) are released. SPUs are cumulative, but a certain patch level must be present to apply. SPU patches are the patches that used to be called CPU patches.

RU | Bundle Patches (BP):

BPs can be seen as a PSU.
(English)

• A cumulative collection of fixes to address bugs in a given feature, product, or configuration
• For example: Windows Database Bundle Patch, Database Patch for Exadata, Database Proactive Bundle Patch
• A superset or PSU
• May span multiple stack components
• For example: “Database Patch for Exadata” includes fixes both Database and Grid Infrastructure
• Delivered on pre-defined schedule, which may be more frequent than PSU releases
• Are always RAC Rolling and Standby First installable
• As of April 2016, the Database Patch for Engineered Systems and Database In-Memory has been renamed to “Database Proactive Bundle Patch”

OJVM RUR/PSU:

For databases (no GI), Oracle releases patches for the JVM component.
(English)

• Include critical fixes for the Oracle JavaVM component within the Oracle Database
• Are packaged separately from the Database PSU/RU (or equivalent) as they cannot be installed in a RAC Rolling manner, nor in Standby First manner.
• Keeping them separate allows customers to choose the most appropriate patching approach for each system
• Oracle has also released “Combo” patches that bundle the OJVM PSU/RU in the same ZIP file as DB PSU/RU and/or GI PSU/RU for ease of download. The OJVM component in these “Combo” patches is in a separate subdirectory with its own install steps still required. October 2014 “Combo” patches do not include the JDBC Patch.
• Are applicable to all database installations regardless of which patching model is used (DB RU, GI RU, DB RUR, GI RUR, DB PSU, GI PSU, Security Patch Update (SPU), Windows Bundle Patch or Database Patch for Exadata)
• Require the database home to be patched to at least October 2014 DB PSU (or equivalent)
• Include binary changes to be applied to each Database ORACLE_HOME, and “post install” steps to be execute on each database running from the ORACLE_HOME
• From January 2015 onwards: include the JDBC fixes
• Oracle Database Release 12.2 does not need the JDBC fixes. Hence, only a quarterly RU for the OJVM component is provided.
• For situations where the latest OJVM PSU/RU cannot be installed immediately there is a “Mitigation Patch” (Patch 19721304) that can be used as describe below.

ODA Bundle Patches (ODA BP):

In contrast to a “normal” Bundle Patch (BP), an ODA BP contains patches for the OS and hardware in addition to patches for GI and RDBMS.
(English)

• All patching of Oracle Database Appliance is done using the quarterly Oracle Database Appliance patch bundle.
• The patch bundle provides all relevant patches for the entire system, including the following: BIOS
• Hardware drivers, Hardware Management Pack (HWM), and firmware drivers for various components
• Oracle Appliance Manager
• Oracle Linux
• Oracle VM
• Java Development Kit (JDK)
• Oracle Integrated Lights Out Manager (Oracle ILOM)
• Oracle Database Patch Set Update (PSU)
• Oracle Auto Service Request (Oracle ASR)
• Oracle Grid Infrastructure
• Intelligent Platform Management Interface (IPMI)

What can/should I do with it?

Every quarter, on the Tuesday closest to the 17th of January, April, July, and October, Oracle releases a Critical Patch Update (CPU). Depending on the version and platform, these Security Fixes are processed in the different Proactive Patches (RU/RUS/SPU/PSU/BP/PBBP). Depending on the vulnerabilities that have been patched and their severity, it must be applied to the various Oracle components that are affected. The Thursday before the CPU is actually released, Oracle will release a Pre-Release Advisor. It contains all necessary information regarding the CPU. Depending on that information, it must be decided whether it is necessary or useful to install the CPU. Customers who would like to receive information about the CPU can register here: http://www.oracle.com/technetwork/topics/security/securityemail-090378.html Customers who have products that are still in Premium Support (more information about the different support levels at https://www.dba.nl/oracle-database-12-2-en-slanging-steun-11-2-mar-6-2017/ ) when they log in to support.oracle.com, they receive a message regarding the SPU .

Which Proactive Patch should we apply?

Applying the Database Security Patch Update (SPU) is still available for Oracle 12.1 and is still considered a valid patch methodology. In terms of application, this method has the lowest risk and requires the least in terms of testing. For Oracle 12.2 databases this is not an option as no more SPUs are released for this version. With regard to Oracle 12 databases, Oracle’s advice is as follows:

• Every user should apply the latest PSU at least every quarter.
• For Oracle 12.1.0.2.0 customers who want a more complete set of fixes, they should use the Database Proactive Bundle Patch (DBBP).

Since in a PSU there are also Critical Fixes in addition to the Security Fixes, this means that applying them requires slightly more testing than with an SPU. Oracle guarantees that there are no Optimizer changes in a PSU and no changes that could change the behavior of applications. This means that applying a PSU does not require application level testing.

The DBBP is a PSU Superset, which means that it also contains functional changes in addition to Security and Critical Fixes. As more changes are made, more testing is required. In contrast to the PSU, after applying the DBBP, the applications will also have to be tested.

The table below is from the MOS Document “Overview of Database Patch Delivery Methods (Doc ID 1962125.1)” in which the different patch methods are described:

With regard to the different Patches, the different Patch methods (BP, PSU or SPU) cannot be mixed in the same ORACLE_HOME (OH). When a DBBP has been applied to a particular OH it is not possible to apply a PSU to this OH later on. Unless the DBBP are rolled back. Visa vice versa is the same. It is therefore important to determine in advance which method to use. DBA.nl recommends using PSUs for Linux environments and BPs for Windows.

What does DBA.nl recommend for applying updates?

We recommend applying an SPU, PSU or Bundle Patch to a representative test environment as soon as possible after it is released. This allows you to rate:

1. Approximately how long will it take to apply the patch to the production environment
2. Whether your environment may have undetected configuration/software issues that could frustrate successful patch application to the production environment
3. Whether the patch itself will affect the functioning of your environment
   Since preparing and properly performing an update can take quite a lot of your valuable time, it can pay to outsource this work. To this end, DBA.nl provides the Security Patch service.

What is the DBA.nl Security Patch service?

The standard DBA.nl SLA does not include proactive patching because many choose to do this themselves. As an additional service, we can take this work off your hands.

• Every quarter, DBA.nl checks (using the Pre-Release Advisor) whether the latest released patch is applicable to one or more Oracle components within your environment. The result of this will be reported.
• For Oracle 11 environments, the SPU patch in the test environment will be applied to the Oracle components to which the patch applies. This will be planned in consultation with you
• If it concerns an Oracle 12 environment, DBA.nl recommends using the PSU; this will be scheduled in consultation with you.
• When the patched test environment has functioned for at least a week without significant problems, the application of the SPU or PSU to the production environment can be scheduled. The aim is to have the patch applied to your production environment within a month of its release.
• [Optioneel] If desired, it is possible to agree to apply a DBBP every quarter. Since this also includes functional changes, a test plan will have to be drawn up in consultation with the customer

Sources
Document:

• Assistant: Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases (Doc ID 2118136.2)
• Master Note For OPatch (Doc ID 293369.1)
• Master Note for Database Proactive Patch Program (Doc ID 756671.1)
• Oracle Recommended Patches — “Oracle JavaVM Component Database PSU and RU” (OJVM PSU and OJVM RU) Patches (Doc ID 1929745.1)