oracle資料庫高危漏洞補丁集安裝
——記一次ORACLE資料庫使用opatch升級PSU的過程
目的:使用oracle自帶工具opatch對oracle資料庫軟體應用高危漏洞補丁集PSU,修復oracle資料庫高危漏洞,規避由於普通使用者具有業務使用者資料表的查詢許可權,
繞過資料庫安全機制對業務使用者資料表進行增、刪、改操作的隱患。
風險:
1、本次整改中需要啟停資料庫
前期準備:
作業系統版本:
[oracle@orcl11204 20299013]$ uname -a
Linux orcl11204 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:41:04 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
OPatch軟體客戶端版本:
[oracle@orcl11204 20299013]$ export PATH=$ORACLE_HOME/OPatch:$PATH
[oracle@orcl11204 20299013]$opatch version
OPatch Version: 11.2.0.3.4
OPatch succeeded.
資料庫版本:
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status<>'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status<>'VALID';
no rows selected
準備高危漏洞補丁包
根據漏洞補丁集安裝要求opatch的版本最低位11.2.0.3.6,因此需要準備
高危漏洞的模擬測試
[oracle@orcl11204]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>create user test identified by test;
user created.
SQL>grant dba to test;
Grant succeeded.
SQL>conn test/test
Connected.
SQL>create table t(id number);
Table created.
SQL>insert into t values(1); --插入5條
1 row created.
SQL>commit;
Commit complete.
[oracle@orcl11g database]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create user test_update identified by test_update;
User created.
SQL> grant select on test.t to test_update;
Grant succeeded.
SQL> grant create session to test_update;
Grant succeeded.
SQL> conn test_update/test_update
Connected.
SQL> select count(*) from test.t;
COUNT(*)
----------
5
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10 where id = 1;
1 row updated.
SQL> commit;
Commit complete.
SQL> delete (with temp as (select * from test.t) select id from temp) where id = 2;
1 row deleted.
SQL> commit;
Commit complete.
SQL> insert into (with temp as (select * from test.t) select * from temp) select *
from test.t where id =1;
0 rows created.
SQL> commit;
Commit complete.
由上DML執行及結果部分可知,普通擁有對業務使用者下表的查詢許可權可以透過構造臨時表對業務資料表進
行DML操作,該漏洞很危險。
以下是漏洞補丁安裝及補丁安裝完畢後的驗證:
關閉資料庫例項及監聽程式,如果EM開啟,也要關閉EM
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 17:48:47 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> quit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@orcl11204 20299013]$ lsnrctl statu
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-JUN-2015 17:50:59
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11204)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 29-JUN-2015 16:51:52
Uptime 0 days 0 hr. 59 min. 7 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/oracle/product/11.2.0.4/db/network/admin/listener.ora
Listener Log File /opt/oracle/diag/tnslsnr/orcl11204/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11204)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
根據readme的提示更新OPatch即將上傳解壓並替換$ORACLE_HOME下的OPatch,注意先備份原有的OPatch以方便回退還原
[oracle@orcl11204 ~]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
根據readme的提示先做安裝前的預檢,注意如果沒有更新OPatch,預檢能夠透過,但是應用補丁集的時候會報錯退出
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-46-33PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ ps -ef|grep ora_
oracle 1757 24201 0 17:51 pts/2 00:00:00 grep ora_
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
Verifying environment and performing prerequisite checks...
Prerequisite check "CheckMinimumOPatchVersion" failed.
The details are:
The OPatch being used has version 11.2.0.3.4 while the following patch(es) require higher versions:
Patch 17478514 requires OPatch version 11.2.0.3.5.
Patch 18031668 requires OPatch version 11.2.0.3.5.
Patch 18522509 requires OPatch version 11.2.0.3.5.
Patch 19121551 requires OPatch version 11.2.0.3.5.
Patch 19769489 requires OPatch version 11.2.0.3.5.
Patch 20299013 requires OPatch version 11.2.0.3.5.
Please download latest OPatch from My Oracle Support.
UtilSession failed: Prerequisite check "CheckMinimumOPatchVersion" failed.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
OPatch failed with error code 73
以下是更新完OPatch的安裝過程
[oracle@orcl11204 ~]$ ls
20299013 database p20299013_112040_Linux-x86-64.zip p6880880_112000_Linux-x86-64.zip PatchSearch.xml
[oracle@orcl11204 ~]$ mv p6880880_112000_Linux-x86-64.zip $ORACLE_HOME
[oracle@orcl11204 ~]$ cd $ORACLE_HOME
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ mv OPatch OPatch11204bak
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch11204bak plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ unzip p6880880_112000_Linux-x86-64.zip
Archive: p6880880_112000_Linux-x86-64.zip
creating: OPatch/
inflating: OPatch/operr.bat
inflating: OPatch/opatch.bat
creating: OPatch/crs/
inflating: OPatch/crs/OsysModel.jar
inflating: OPatch/crs/installPatch.excl
inflating: OPatch/crs/patchDB.pl
inflating: OPatch/crs/CRSProductDriver.jar
inflating: OPatch/crs/patch112.pl
inflating: OPatch/crs/auto_patch.pl
inflating: OPatch/crs/opatchauto
creating: OPatch/crs/log/
inflating: OPatch/crs/patch11203.pl
inflating: OPatch/crs/driver.jar
inflating: OPatch/crs/patch11202.pl
inflating: OPatch/emdpatch.pl
inflating: OPatch/README.txt
creating: OPatch/docs/
inflating: OPatch/docs/Users_Guide.txt
inflating: OPatch/docs/Prereq_Users_Guide.txt
inflating: OPatch/docs/cversion.txt
inflating: OPatch/docs/FAQ
extracting: OPatch/version.txt
creating: OPatch/opatchprereqs/
creating: OPatch/opatchprereqs/oui/
inflating: OPatch/opatchprereqs/oui/knowledgesrc.xml
creating: OPatch/opatchprereqs/opatch/
inflating: OPatch/opatchprereqs/opatch/opatch_prereq.xml
inflating: OPatch/opatchprereqs/opatch/rulemap.xml
inflating: OPatch/opatchprereqs/opatch/runtime_prereq.xml
inflating: OPatch/opatchprereqs/prerequisite.properties
creating: OPatch/opatchauto-dir/
creating: OPatch/opatchauto-dir/opatchautocore/
creating: OPatch/opatchauto-dir/opatchautocore/jlib/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ProductDriver.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oracle.oplan.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oplan_core.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/OsysModel.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/automation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/patchsdk.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/activation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/osysmodel-utils.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/bundle.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/Validation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ValidationRules.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/com.oracle.glcm.common-logging_1.0.0.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/oplan
inflating: OPatch/opatchauto-dir/opatchautocore/oplan.bat
inflating: OPatch/opatchauto-dir/opatchautocore/README.txt
inflating: OPatch/opatchauto-dir/opatchautocore/README.html
inflating: OPatch/opatchauto-dir/opatchautocore/opatchautobinary
creating: OPatch/opatchauto-dir/opatchautodb/
creating: OPatch/opatchauto-dir/opatchautodb/jlib/
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oracle.oplan.db.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oplan_db.jar
creating: OPatch/jlib/
inflating: OPatch/jlib/oracle.opatch.classpath.jar
inflating: OPatch/jlib/opatch.jar
inflating: OPatch/jlib/opatchsdk.jar
inflating: OPatch/jlib/oracle.opatch.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.unix.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatch.classpath.unix.jar
creating: OPatch/scripts/
inflating: OPatch/scripts/opatch_wls
inflating: OPatch/scripts/opatch_jvm_discovery.bat
inflating: OPatch/scripts/opatch_wls.bat
inflating: OPatch/scripts/opatch_jvm_discovery
creating: OPatch/oplan/
inflating: OPatch/oplan/oplan.bat
creating: OPatch/oplan/jlib/
creating: OPatch/oplan/jlib/jaxb/
inflating: OPatch/oplan/jlib/jaxb/activation.jar
inflating: OPatch/oplan/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-api.jar
inflating: OPatch/oplan/jlib/OsysModel.jar
inflating: OPatch/oplan/jlib/JMXDrivers.jar
inflating: OPatch/oplan/jlib/Validation.jar
inflating: OPatch/oplan/jlib/automation.jar
inflating: OPatch/oplan/jlib/bundle.jar
inflating: OPatch/oplan/jlib/oplan.jar
inflating: OPatch/oplan/jlib/CRSProductDriver.jar
inflating: OPatch/oplan/jlib/OuiDriver.jar
inflating: OPatch/oplan/jlib/oracle.oplan.classpath.jar
inflating: OPatch/oplan/jlib/patchsdk.jar
inflating: OPatch/oplan/jlib/osysmodel-utils.jar
inflating: OPatch/oplan/jlib/ValidationRules.jar
creating: OPatch/oplan/jlib/apache-commons/
inflating: OPatch/oplan/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/oplan/jlib/EMrepoDrivers.jar
inflating: OPatch/oplan/README.html
inflating: OPatch/oplan/oplan
inflating: OPatch/oplan/README.txt
inflating: OPatch/operr
inflating: OPatch/opatch
inflating: OPatch/opatchdiag.bat
inflating: OPatch/operr_readme.txt
inflating: OPatch/opatchdiag
inflating: OPatch/opatch.pl
creating: OPatch/ocm/
creating: OPatch/ocm/lib/
inflating: OPatch/ocm/lib/emocmclnt.jar
inflating: OPatch/ocm/lib/log4j-core.jar
inflating: OPatch/ocm/lib/regexp.jar
inflating: OPatch/ocm/lib/emocmcommon.jar
inflating: OPatch/ocm/lib/osdt_core3.jar
inflating: OPatch/ocm/lib/jsse.jar
inflating: OPatch/ocm/lib/http_client.jar
inflating: OPatch/ocm/lib/osdt_jce.jar
inflating: OPatch/ocm/lib/emocmclnt-14.jar
inflating: OPatch/ocm/lib/jnet.jar
inflating: OPatch/ocm/lib/jcert.jar
inflating: OPatch/ocm/lib/xmlparserv2.jar
extracting: OPatch/ocm/ocm.zip
creating: OPatch/ocm/bin/
inflating: OPatch/ocm/bin/emocmrsp
inflating: OPatch/ocm/ocm_platforms.txt
creating: OPatch/ocm/doc/
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch perl sqlplus
assistants cv ide lib OPatch11204bak plsql srvm
bin dbs install log opmn precomp suptools
ccr dc_ocm instantclient md oracore racg sysman
cdata deinstall inventory mesg oraInst.loc rdbms timingframework
cfgtoollogs demo j2ee mgw orcl11204_db11204 relnotes ucp
clone diagnostics javavm network ord root.sh uix
config dv jdbc nls oui scheduler usm
crs emcli jdev oc4j owb slax utl
csmig EMStage jdk odbc owm sqldeveloper wwg
css has jlib olap p6880880_112000_Linux-x86-64.zip sqlj xdk
[oracle@orcl11204 20299013]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-52-51PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
Verifying environment and performing prerequisite checks...
OPatch continues with these patches: 17478514 18031668 18522509 19121551 19769489 20299013
Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit for details.
Email address/User Name:
You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/opt/oracle/product/11.2.0.4/db')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...
Applying sub-patch '17478514' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sdo, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.sdo.locator, 11.2.0.4.0...
Patching component oracle.nlsrtl.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18031668' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.ldap.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.crs, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ldap.rsf.ic, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18522509' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19121551' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.ordim.client, 11.2.0.4.0...
Patching component oracle.ordim.jai, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19769489' to OH '/opt/oracle/product/11.2.0.4/db'
ApplySession: Optional component(s) [ oracle.sysman.agent, 11.2.0.4.0 ] not present in the Oracle Home or a higher version is found.
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ovm, 11.2.0.4.0...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.util, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.oraolap, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '20299013' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.dv, 11.2.0.4.0...
Patching component oracle.rdbms.oci, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.sysman.common, 10.2.0.4.5...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sysman.common.core, 10.2.0.4.5...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Composite patch 20299013 successfully applied.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch lsinventory
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_19-07-44PM_1.log
Lsinventory Output file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/lsinv/lsinventory2015-06-29_19-07-44PM.txt
--------------------------------------------------------------------------------
Local Machine Information::
Hostname: orcl11204
ARU platform id: 226
ARU platform description:: Linux x86-64
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.4.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 20299013 : applied on Mon Jun 29 19:00:43 CST 2015
Unique Patch ID: 18573940
Patch description: "Database Patch Set Update : 11.2.0.4.6 (20299013)"
Created on 4 Mar 2015, 02:27:44 hrs PST8PDT
Sub-patch 19769489; "Database Patch Set Update : 11.2.0.4.5 (19769489)"
Sub-patch 19121551; "Database Patch Set Update : 11.2.0.4.4 (19121551)"
Sub-patch 18522509; "Database Patch Set Update : 11.2.0.4.3 (18522509)"
Sub-patch 18031668; "Database Patch Set Update : 11.2.0.4.2 (18031668)"
Sub-patch 17478514; "Database Patch Set Update : 11.2.0.4.1 (17478514)"
Bugs fixed:
17288409, 17798953, 18273830, 18607546, 17811429, 17205719, 20506699
17816865, 19972566, 17922254, 17754782, 16384983, 17726838, 13364795
16934803, 17311728, 17284817, 17441661, 17360606, 13645875, 18199537
16992075, 16542886, 17446237, 14015842, 17889549, 14565184, 19972569
17071721, 20299015, 17610798, 17375354, 17449815, 17397545, 19463897
18230522, 13866822, 17235750, 17982555, 16360112, 18317531, 17478514
19769489, 12905058, 14338435, 18235390, 13944971, 18641451, 20142975
17811789, 16929165, 18704244, 12747740, 18430495, 20506706, 17546973
14054676, 17088068, 17346091, 18264060, 17016369, 17042658, 17343514
14602788, 19972568, 19680952, 18471685, 19788842, 18508861, 14657740
17332800, 19211724, 13837378, 13951456, 16315398, 17186905, 18744139
19972564, 16850630, 18315328, 17437634, 19049453, 18673304, 17883081
19006849, 19915271, 19013183, 18641419, 17296856, 18674024, 18262334
17006183, 18277454, 16833527, 17232014, 16855292, 10136473, 17762296
14692762, 17705023, 18051556, 17865671, 17852463, 18554871, 17853498
19121551, 18334586, 19854503, 17551709, 19309466, 17588480, 19827973
17344412, 17842825, 18828868, 18681862, 18554763, 17390160, 18456514
16306373, 17025461, 13955826, 18139690, 11883252, 13609098, 17501491
17239687, 17752121, 17299889, 17602269, 19197175, 17889583, 18316692
17313525, 18673325, 12611721, 19544839, 18293054, 17242746, 18964939
17600719, 18191164, 19393542, 17571306, 18482502, 19466309, 17951233
17649265, 18094246, 19615136, 17040527, 17011832, 17165204, 18098207
16785708, 16870214, 17465741, 16180763, 17174582, 17477958, 12982566
16777840, 18522509, 20631274, 16091637, 17323222, 19463893, 16595641
16875449, 12816846, 16524926, 17237521, 18228645, 18282562, 17596908
19358317, 17811438, 17811447, 17945983, 18762750, 17156148, 18031668
16912439, 17184721, 16494615, 18061914, 17282229, 17545847, 18331850
18202441, 17082359, 18723434, 19554106, 17614134, 13558557, 17341326
14034426, 17891946, 18339044, 17716305, 19458377, 17752995, 16392068
19271443, 17891943, 18092127, 17258090, 17767676, 16668584, 18384391
17614227, 17040764, 16903536, 17381384, 14106803, 15913355, 18973907
18356166, 18673342, 17389192, 14084247, 16194160, 17612828, 17006570
20506715, 17721717, 13853126, 17390431, 18203837, 17570240, 14245531
16043574, 16863422, 17848897, 17877323, 18325460, 19727057, 17468141
17786518, 17912217, 16422541, 19972570, 17267114, 17037130, 18244962
18765602, 18203838, 18155762, 16956380, 16198143, 17246576, 17478145
17394950, 14829250, 18189036, 18641461, 18619917, 17835627, 17027426
16268425, 18247991, 19584068, 14458214, 18436307, 17265217, 17634921
13498382, 16692232, 17786278, 17227277, 16042673, 16314254, 17443671
18000422, 16228604, 16837842, 17571039, 17393683, 16344544, 17787259
18009564, 20074391, 14354737, 15861775, 18135678, 18614015, 16399083
18362222, 18018515, 16472716, 17835048, 17050888, 17936109, 14010183
17325413, 18747196, 17080436, 16613964, 17036973, 17761775, 16579084
16721594, 17082983, 18384537, 18280813, 20296213, 17302277, 16901385
18084625, 15979965, 15990359, 18203835, 17297939, 17811456, 16731148
13829543, 14133975, 17215560, 17694209, 18091059, 17385178, 8322815
17586955, 18441944, 17201159, 16450169, 9756271, 17655634, 19730508
17892268, 18868646, 17648596, 16220077, 16069901, 11733603, 16285691
17587063, 18180390, 16538760, 18193833, 17348614, 17393915, 17957017
17274537, 18096714, 17308789, 17238511, 18436647, 17824637, 14285317
19289642, 14764829, 17622427, 18328509, 16571443, 16943711, 14368995
18306996, 17346671, 14852021, 18996843, 17783588, 16618694, 17853456
18674047, 17672719, 18856999, 12364061, 18783224, 17851160, 17546761
--------------------------------------------------------------------------------
OPatch succeeded.
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 19:08:09 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 726540288 bytes
Fixed Size 2256792 bytes
Variable Size 478150760 bytes
Database Buffers 243269632 bytes
Redo Buffers 2863104 bytes
Database mounted.
Database opened.
SQL> conn test_update/test_update
Connected.
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10
where id = 1;
2 update (with tmp as (select id from test.t) select id from tmp) set id=10
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL>
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status<>'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status<>'VALID';
no rows selected
到此高危漏洞集安裝及安裝後漏洞驗證成功完成!
目的:使用oracle自帶工具opatch對oracle資料庫軟體應用高危漏洞補丁集PSU,修復oracle資料庫高危漏洞,規避由於普通使用者具有業務使用者資料表的查詢許可權,
繞過資料庫安全機制對業務使用者資料表進行增、刪、改操作的隱患。
風險:
1、本次整改中需要啟停資料庫
2、對ORACLE資料庫應用PSU補丁集可能會引入新的BUG
前期準備:
作業系統版本:
[oracle@orcl11204 20299013]$ uname -a
Linux orcl11204 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:41:04 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
OPatch軟體客戶端版本:
[oracle@orcl11204 20299013]$ export PATH=$ORACLE_HOME/OPatch:$PATH
[oracle@orcl11204 20299013]$opatch version
OPatch Version: 11.2.0.3.4
OPatch succeeded.
資料庫版本:
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status<>'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status<>'VALID';
no rows selected
準備高危漏洞補丁包
根據漏洞補丁集安裝要求opatch的版本最低位11.2.0.3.6,因此需要準備
高危漏洞的模擬測試
[oracle@orcl11204]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>create user test identified by test;
user created.
SQL>grant dba to test;
Grant succeeded.
SQL>conn test/test
Connected.
SQL>create table t(id number);
Table created.
SQL>insert into t values(1); --插入5條
1 row created.
SQL>commit;
Commit complete.
[oracle@orcl11g database]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create user test_update identified by test_update;
User created.
SQL> grant select on test.t to test_update;
Grant succeeded.
SQL> grant create session to test_update;
Grant succeeded.
SQL> conn test_update/test_update
Connected.
SQL> select count(*) from test.t;
COUNT(*)
----------
5
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10 where id = 1;
1 row updated.
SQL> commit;
Commit complete.
SQL> delete (with temp as (select * from test.t) select id from temp) where id = 2;
1 row deleted.
SQL> commit;
Commit complete.
SQL> insert into (with temp as (select * from test.t) select * from temp) select *
from test.t where id =1;
0 rows created.
SQL> commit;
Commit complete.
由上DML執行及結果部分可知,普通擁有對業務使用者下表的查詢許可權可以透過構造臨時表對業務資料表進
行DML操作,該漏洞很危險。
以下是漏洞補丁安裝及補丁安裝完畢後的驗證:
關閉資料庫例項及監聽程式,如果EM開啟,也要關閉EM
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 17:48:47 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> quit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@orcl11204 20299013]$ lsnrctl statu
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-JUN-2015 17:50:59
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11204)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 29-JUN-2015 16:51:52
Uptime 0 days 0 hr. 59 min. 7 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/oracle/product/11.2.0.4/db/network/admin/listener.ora
Listener Log File /opt/oracle/diag/tnslsnr/orcl11204/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11204)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
根據readme的提示更新OPatch即將上傳解壓並替換$ORACLE_HOME下的OPatch,注意先備份原有的OPatch以方便回退還原
[oracle@orcl11204 ~]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
根據readme的提示先做安裝前的預檢,注意如果沒有更新OPatch,預檢能夠透過,但是應用補丁集的時候會報錯退出
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-46-33PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ ps -ef|grep ora_
oracle 1757 24201 0 17:51 pts/2 00:00:00 grep ora_
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
Verifying environment and performing prerequisite checks...
Prerequisite check "CheckMinimumOPatchVersion" failed.
The details are:
The OPatch being used has version 11.2.0.3.4 while the following patch(es) require higher versions:
Patch 17478514 requires OPatch version 11.2.0.3.5.
Patch 18031668 requires OPatch version 11.2.0.3.5.
Patch 18522509 requires OPatch version 11.2.0.3.5.
Patch 19121551 requires OPatch version 11.2.0.3.5.
Patch 19769489 requires OPatch version 11.2.0.3.5.
Patch 20299013 requires OPatch version 11.2.0.3.5.
Please download latest OPatch from My Oracle Support.
UtilSession failed: Prerequisite check "CheckMinimumOPatchVersion" failed.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
OPatch failed with error code 73
以下是更新完OPatch的安裝過程
[oracle@orcl11204 ~]$ ls
20299013 database p20299013_112040_Linux-x86-64.zip p6880880_112000_Linux-x86-64.zip PatchSearch.xml
[oracle@orcl11204 ~]$ mv p6880880_112000_Linux-x86-64.zip $ORACLE_HOME
[oracle@orcl11204 ~]$ cd $ORACLE_HOME
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ mv OPatch OPatch11204bak
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch11204bak plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ unzip p6880880_112000_Linux-x86-64.zip
Archive: p6880880_112000_Linux-x86-64.zip
creating: OPatch/
inflating: OPatch/operr.bat
inflating: OPatch/opatch.bat
creating: OPatch/crs/
inflating: OPatch/crs/OsysModel.jar
inflating: OPatch/crs/installPatch.excl
inflating: OPatch/crs/patchDB.pl
inflating: OPatch/crs/CRSProductDriver.jar
inflating: OPatch/crs/patch112.pl
inflating: OPatch/crs/auto_patch.pl
inflating: OPatch/crs/opatchauto
creating: OPatch/crs/log/
inflating: OPatch/crs/patch11203.pl
inflating: OPatch/crs/driver.jar
inflating: OPatch/crs/patch11202.pl
inflating: OPatch/emdpatch.pl
inflating: OPatch/README.txt
creating: OPatch/docs/
inflating: OPatch/docs/Users_Guide.txt
inflating: OPatch/docs/Prereq_Users_Guide.txt
inflating: OPatch/docs/cversion.txt
inflating: OPatch/docs/FAQ
extracting: OPatch/version.txt
creating: OPatch/opatchprereqs/
creating: OPatch/opatchprereqs/oui/
inflating: OPatch/opatchprereqs/oui/knowledgesrc.xml
creating: OPatch/opatchprereqs/opatch/
inflating: OPatch/opatchprereqs/opatch/opatch_prereq.xml
inflating: OPatch/opatchprereqs/opatch/rulemap.xml
inflating: OPatch/opatchprereqs/opatch/runtime_prereq.xml
inflating: OPatch/opatchprereqs/prerequisite.properties
creating: OPatch/opatchauto-dir/
creating: OPatch/opatchauto-dir/opatchautocore/
creating: OPatch/opatchauto-dir/opatchautocore/jlib/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ProductDriver.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oracle.oplan.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oplan_core.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/OsysModel.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/automation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/patchsdk.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/activation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/osysmodel-utils.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/bundle.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/Validation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ValidationRules.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/com.oracle.glcm.common-logging_1.0.0.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/oplan
inflating: OPatch/opatchauto-dir/opatchautocore/oplan.bat
inflating: OPatch/opatchauto-dir/opatchautocore/README.txt
inflating: OPatch/opatchauto-dir/opatchautocore/README.html
inflating: OPatch/opatchauto-dir/opatchautocore/opatchautobinary
creating: OPatch/opatchauto-dir/opatchautodb/
creating: OPatch/opatchauto-dir/opatchautodb/jlib/
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oracle.oplan.db.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oplan_db.jar
creating: OPatch/jlib/
inflating: OPatch/jlib/oracle.opatch.classpath.jar
inflating: OPatch/jlib/opatch.jar
inflating: OPatch/jlib/opatchsdk.jar
inflating: OPatch/jlib/oracle.opatch.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.unix.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatch.classpath.unix.jar
creating: OPatch/scripts/
inflating: OPatch/scripts/opatch_wls
inflating: OPatch/scripts/opatch_jvm_discovery.bat
inflating: OPatch/scripts/opatch_wls.bat
inflating: OPatch/scripts/opatch_jvm_discovery
creating: OPatch/oplan/
inflating: OPatch/oplan/oplan.bat
creating: OPatch/oplan/jlib/
creating: OPatch/oplan/jlib/jaxb/
inflating: OPatch/oplan/jlib/jaxb/activation.jar
inflating: OPatch/oplan/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-api.jar
inflating: OPatch/oplan/jlib/OsysModel.jar
inflating: OPatch/oplan/jlib/JMXDrivers.jar
inflating: OPatch/oplan/jlib/Validation.jar
inflating: OPatch/oplan/jlib/automation.jar
inflating: OPatch/oplan/jlib/bundle.jar
inflating: OPatch/oplan/jlib/oplan.jar
inflating: OPatch/oplan/jlib/CRSProductDriver.jar
inflating: OPatch/oplan/jlib/OuiDriver.jar
inflating: OPatch/oplan/jlib/oracle.oplan.classpath.jar
inflating: OPatch/oplan/jlib/patchsdk.jar
inflating: OPatch/oplan/jlib/osysmodel-utils.jar
inflating: OPatch/oplan/jlib/ValidationRules.jar
creating: OPatch/oplan/jlib/apache-commons/
inflating: OPatch/oplan/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/oplan/jlib/EMrepoDrivers.jar
inflating: OPatch/oplan/README.html
inflating: OPatch/oplan/oplan
inflating: OPatch/oplan/README.txt
inflating: OPatch/operr
inflating: OPatch/opatch
inflating: OPatch/opatchdiag.bat
inflating: OPatch/operr_readme.txt
inflating: OPatch/opatchdiag
inflating: OPatch/opatch.pl
creating: OPatch/ocm/
creating: OPatch/ocm/lib/
inflating: OPatch/ocm/lib/emocmclnt.jar
inflating: OPatch/ocm/lib/log4j-core.jar
inflating: OPatch/ocm/lib/regexp.jar
inflating: OPatch/ocm/lib/emocmcommon.jar
inflating: OPatch/ocm/lib/osdt_core3.jar
inflating: OPatch/ocm/lib/jsse.jar
inflating: OPatch/ocm/lib/http_client.jar
inflating: OPatch/ocm/lib/osdt_jce.jar
inflating: OPatch/ocm/lib/emocmclnt-14.jar
inflating: OPatch/ocm/lib/jnet.jar
inflating: OPatch/ocm/lib/jcert.jar
inflating: OPatch/ocm/lib/xmlparserv2.jar
extracting: OPatch/ocm/ocm.zip
creating: OPatch/ocm/bin/
inflating: OPatch/ocm/bin/emocmrsp
inflating: OPatch/ocm/ocm_platforms.txt
creating: OPatch/ocm/doc/
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch perl sqlplus
assistants cv ide lib OPatch11204bak plsql srvm
bin dbs install log opmn precomp suptools
ccr dc_ocm instantclient md oracore racg sysman
cdata deinstall inventory mesg oraInst.loc rdbms timingframework
cfgtoollogs demo j2ee mgw orcl11204_db11204 relnotes ucp
clone diagnostics javavm network ord root.sh uix
config dv jdbc nls oui scheduler usm
crs emcli jdev oc4j owb slax utl
csmig EMStage jdk odbc owm sqldeveloper wwg
css has jlib olap p6880880_112000_Linux-x86-64.zip sqlj xdk
[oracle@orcl11204 20299013]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-52-51PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
Verifying environment and performing prerequisite checks...
OPatch continues with these patches: 17478514 18031668 18522509 19121551 19769489 20299013
Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit for details.
Email address/User Name:
You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/opt/oracle/product/11.2.0.4/db')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...
Applying sub-patch '17478514' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sdo, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.sdo.locator, 11.2.0.4.0...
Patching component oracle.nlsrtl.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18031668' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.ldap.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.crs, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ldap.rsf.ic, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18522509' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19121551' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.ordim.client, 11.2.0.4.0...
Patching component oracle.ordim.jai, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19769489' to OH '/opt/oracle/product/11.2.0.4/db'
ApplySession: Optional component(s) [ oracle.sysman.agent, 11.2.0.4.0 ] not present in the Oracle Home or a higher version is found.
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ovm, 11.2.0.4.0...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.util, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.oraolap, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '20299013' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.dv, 11.2.0.4.0...
Patching component oracle.rdbms.oci, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.sysman.common, 10.2.0.4.5...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sysman.common.core, 10.2.0.4.5...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Composite patch 20299013 successfully applied.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch lsinventory
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_19-07-44PM_1.log
Lsinventory Output file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/lsinv/lsinventory2015-06-29_19-07-44PM.txt
--------------------------------------------------------------------------------
Local Machine Information::
Hostname: orcl11204
ARU platform id: 226
ARU platform description:: Linux x86-64
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.4.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 20299013 : applied on Mon Jun 29 19:00:43 CST 2015
Unique Patch ID: 18573940
Patch description: "Database Patch Set Update : 11.2.0.4.6 (20299013)"
Created on 4 Mar 2015, 02:27:44 hrs PST8PDT
Sub-patch 19769489; "Database Patch Set Update : 11.2.0.4.5 (19769489)"
Sub-patch 19121551; "Database Patch Set Update : 11.2.0.4.4 (19121551)"
Sub-patch 18522509; "Database Patch Set Update : 11.2.0.4.3 (18522509)"
Sub-patch 18031668; "Database Patch Set Update : 11.2.0.4.2 (18031668)"
Sub-patch 17478514; "Database Patch Set Update : 11.2.0.4.1 (17478514)"
Bugs fixed:
17288409, 17798953, 18273830, 18607546, 17811429, 17205719, 20506699
17816865, 19972566, 17922254, 17754782, 16384983, 17726838, 13364795
16934803, 17311728, 17284817, 17441661, 17360606, 13645875, 18199537
16992075, 16542886, 17446237, 14015842, 17889549, 14565184, 19972569
17071721, 20299015, 17610798, 17375354, 17449815, 17397545, 19463897
18230522, 13866822, 17235750, 17982555, 16360112, 18317531, 17478514
19769489, 12905058, 14338435, 18235390, 13944971, 18641451, 20142975
17811789, 16929165, 18704244, 12747740, 18430495, 20506706, 17546973
14054676, 17088068, 17346091, 18264060, 17016369, 17042658, 17343514
14602788, 19972568, 19680952, 18471685, 19788842, 18508861, 14657740
17332800, 19211724, 13837378, 13951456, 16315398, 17186905, 18744139
19972564, 16850630, 18315328, 17437634, 19049453, 18673304, 17883081
19006849, 19915271, 19013183, 18641419, 17296856, 18674024, 18262334
17006183, 18277454, 16833527, 17232014, 16855292, 10136473, 17762296
14692762, 17705023, 18051556, 17865671, 17852463, 18554871, 17853498
19121551, 18334586, 19854503, 17551709, 19309466, 17588480, 19827973
17344412, 17842825, 18828868, 18681862, 18554763, 17390160, 18456514
16306373, 17025461, 13955826, 18139690, 11883252, 13609098, 17501491
17239687, 17752121, 17299889, 17602269, 19197175, 17889583, 18316692
17313525, 18673325, 12611721, 19544839, 18293054, 17242746, 18964939
17600719, 18191164, 19393542, 17571306, 18482502, 19466309, 17951233
17649265, 18094246, 19615136, 17040527, 17011832, 17165204, 18098207
16785708, 16870214, 17465741, 16180763, 17174582, 17477958, 12982566
16777840, 18522509, 20631274, 16091637, 17323222, 19463893, 16595641
16875449, 12816846, 16524926, 17237521, 18228645, 18282562, 17596908
19358317, 17811438, 17811447, 17945983, 18762750, 17156148, 18031668
16912439, 17184721, 16494615, 18061914, 17282229, 17545847, 18331850
18202441, 17082359, 18723434, 19554106, 17614134, 13558557, 17341326
14034426, 17891946, 18339044, 17716305, 19458377, 17752995, 16392068
19271443, 17891943, 18092127, 17258090, 17767676, 16668584, 18384391
17614227, 17040764, 16903536, 17381384, 14106803, 15913355, 18973907
18356166, 18673342, 17389192, 14084247, 16194160, 17612828, 17006570
20506715, 17721717, 13853126, 17390431, 18203837, 17570240, 14245531
16043574, 16863422, 17848897, 17877323, 18325460, 19727057, 17468141
17786518, 17912217, 16422541, 19972570, 17267114, 17037130, 18244962
18765602, 18203838, 18155762, 16956380, 16198143, 17246576, 17478145
17394950, 14829250, 18189036, 18641461, 18619917, 17835627, 17027426
16268425, 18247991, 19584068, 14458214, 18436307, 17265217, 17634921
13498382, 16692232, 17786278, 17227277, 16042673, 16314254, 17443671
18000422, 16228604, 16837842, 17571039, 17393683, 16344544, 17787259
18009564, 20074391, 14354737, 15861775, 18135678, 18614015, 16399083
18362222, 18018515, 16472716, 17835048, 17050888, 17936109, 14010183
17325413, 18747196, 17080436, 16613964, 17036973, 17761775, 16579084
16721594, 17082983, 18384537, 18280813, 20296213, 17302277, 16901385
18084625, 15979965, 15990359, 18203835, 17297939, 17811456, 16731148
13829543, 14133975, 17215560, 17694209, 18091059, 17385178, 8322815
17586955, 18441944, 17201159, 16450169, 9756271, 17655634, 19730508
17892268, 18868646, 17648596, 16220077, 16069901, 11733603, 16285691
17587063, 18180390, 16538760, 18193833, 17348614, 17393915, 17957017
17274537, 18096714, 17308789, 17238511, 18436647, 17824637, 14285317
19289642, 14764829, 17622427, 18328509, 16571443, 16943711, 14368995
18306996, 17346671, 14852021, 18996843, 17783588, 16618694, 17853456
18674047, 17672719, 18856999, 12364061, 18783224, 17851160, 17546761
--------------------------------------------------------------------------------
OPatch succeeded.
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 19:08:09 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 726540288 bytes
Fixed Size 2256792 bytes
Variable Size 478150760 bytes
Database Buffers 243269632 bytes
Redo Buffers 2863104 bytes
Database mounted.
Database opened.
SQL> conn test_update/test_update
Connected.
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10
where id = 1;
2 update (with tmp as (select id from test.t) select id from tmp) set id=10
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL>
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status<>'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status<>'VALID';
no rows selected
到此高危漏洞集安裝及安裝後漏洞驗證成功完成!
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29357786/viewspace-1717154/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Oracle資料庫高危漏洞警告!Oracle資料庫
- Oracle資料庫PSU補丁安裝Oracle資料庫
- Oracle資料庫打補丁方法Oracle資料庫
- Oracle資料庫升級與補丁Oracle資料庫
- 給Oracle資料庫打補丁(轉)Oracle資料庫
- Chrome存在高危漏洞!谷歌緊急釋出安全補丁Chrome谷歌
- 摘:Oracle資料庫補丁分類、安裝及管理Oracle資料庫
- 資料庫補丁索引資料庫索引
- Oracle將釋出新的資料庫補丁程式Oracle資料庫
- Oracle 安裝補丁Oracle
- 微軟週二釋出12個漏洞補丁程式 4個為高危微軟
- Oracle 資料庫 PSU 的補丁號變化Oracle資料庫
- 【UP_ORACLE】如何給Oracle DG打補丁(二)備庫安裝補丁步驟Oracle
- 【UP_ORACLE】如何給Oracle DG打補丁(三)主庫安裝補丁步驟Oracle
- 打Oracle 10.2.0.3.0補丁前安裝了資料庫,需要執行以下步驟Upgrade資料庫Oracle資料庫
- oracle安裝補丁失敗Oracle
- RAC資料庫中用opatch應用補丁資料庫
- oracle 補丁Oracle
- 2020蘋果maccms最新漏洞補丁 防止資料庫被反覆掛馬蘋果Mac資料庫
- Oracle最新補丁包修101個漏洞(轉)Oracle
- oracle 資料庫版本對應的psu和補丁號碼Oracle資料庫
- 微軟釋出補丁:修復了遠端桌面元件中存在的兩個高危漏洞微軟元件
- 資料庫Patchsets 補丁號碼快速參考資料庫
- 探索Oracle之資料庫升級一 升級補丁修復概述Oracle資料庫
- Oracle的補丁Oracle
- Oracle CRS Database安裝10.2.0.5.0補丁OracleDatabase
- 資料庫打完11.1.0.7.12補丁後資料庫啟動失敗資料庫
- 檢視資料庫版本與補丁的版本資訊資料庫
- 檢查資料庫CPU和PSU補丁資訊資料庫
- 資料庫的升級和打補丁的研究資料庫
- 關於 Oracle 資料庫 PSU/SPU/Bundle Patch的補丁號變化Oracle資料庫
- Oracle 11gR2單例項資料庫補丁升級記錄Oracle單例資料庫
- 【補丁】Oracle補丁的知識及術語Oracle
- metalink上oracle資料庫推薦補丁列表的document id(Oracle Recommended Patches -- Oracle Database)Oracle資料庫Database
- Oracle RAC更新補丁Oracle
- 12. Oracle版本、補丁及升級——12.2. 補丁及補丁集Oracle
- 怎麼樣安裝AIX 補丁或者補丁集AI
- Oracle補丁術語介紹 PSU CPU補丁Oracle