——记一次ORACLE数据库使用opatch升级PSU的过程
目的:使用oracle自带工具opatch对oracle数据库软件应用高危漏洞补丁集PSU,修复oracle数据库高危漏洞,规避由于普通用户具有业务用户数据表的查询权限,
绕过数据库安全机制对业务用户数据表进行增、删、改操作的隐患。
风险:
1、本次整改中需要启停数据库
前期准备:
操作系统版本:
[oracle@orcl11204 20299013]$ uname -a
Linux orcl11204 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:41:04 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
OPatch软件客户端版本:
[oracle@orcl11204 20299013]$ export PATH=$ORACLE_HOME/OPatch:$PATH
[oracle@orcl11204 20299013]$opatch version
OPatch Version: 11.2.0.3.4
OPatch succeeded.
数据库版本:
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status'VALID';
no rows selected
准备高危漏洞补丁包
p20299013_112040_Linux-x86-64.zip(patch号参考文档 756671.1.html)
根据漏洞补丁集安装要求opatch的版本最低位11.2.0.3.6,因此需要准备
p6880880_112000_Linux-x86-64.zip
高危漏洞的模拟测试
[oracle@orcl11204]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>create user test identified by test;
user created.
SQL>grant dba to test;
Grant succeeded.
SQL>conn test/test
Connected.
SQL>create table t(id number);
Table created.
SQL>insert into t values(1); --插入5条
1 row created.
SQL>commit;
Commit complete.
[oracle@orcl11g database]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create user test_update identified by test_update;
User created.
SQL> grant select on test.t to test_update;
Grant succeeded.
SQL> grant create session to test_update;
Grant succeeded.
SQL> conn test_update/test_update
Connected.
SQL> select count(*) from test.t;
COUNT(*)
----------
5
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10 where id = 1;
1 row updated.
SQL> commit;
Commit complete.
SQL> delete (with temp as (select * from test.t) select id from temp) where id = 2;
1 row deleted.
SQL> commit;
Commit complete.
SQL> insert into (with temp as (select * from test.t) select * from temp) select *
from test.t where id =1;
0 rows created.
SQL> commit;
Commit complete.
由上DML执行及结果部分可知,普通拥有对业务用户下表的查询权限可以通过构造临时表对业务数据表进
行DML操作,该漏洞很危险。
以下是漏洞补丁安装及补丁安装完毕后的验证:
关闭数据库实例及监听程序,如果EM开启,也要关闭EM
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 17:48:47 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> quit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@orcl11204 20299013]$ lsnrctl statu
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-JUN-2015 17:50:59
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11204)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 29-JUN-2015 16:51:52
Uptime 0 days 0 hr. 59 min. 7 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/oracle/product/11.2.0.4/db/network/admin/listener.ora
Listener Log File /opt/oracle/diag/tnslsnr/orcl11204/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11204)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
根据readme的提示更新OPatch即将p6880880_112000_Linux-x86-64.zip上传解压并替换$ORACLE_HOME下的OPatch,注意先备份原有的OPatch以方便回退还原
[oracle@orcl11204 ~]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
根据readme的提示先做安装前的预检,注意如果没有更新OPatch,预检能够通过,但是应用补丁集的时候会报错退出
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-46-33PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ ps -ef|grep ora_
oracle 1757 24201 0 17:51 pts/2 00:00:00 grep ora_
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
Verifying environment and performing prerequisite checks...
Prerequisite check "CheckMinimumOPatchVersion" failed.
The details are:
The OPatch being used has version 11.2.0.3.4 while the following patch(es) require higher versions:
Patch 17478514 requires OPatch version 11.2.0.3.5.
Patch 18031668 requires OPatch version 11.2.0.3.5.
Patch 18522509 requires OPatch version 11.2.0.3.5.
Patch 19121551 requires OPatch version 11.2.0.3.5.
Patch 19769489 requires OPatch version 11.2.0.3.5.
Patch 20299013 requires OPatch version 11.2.0.3.5.
Please download latest OPatch from My Oracle Support.
UtilSession failed: Prerequisite check "CheckMinimumOPatchVersion" failed.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
OPatch failed with error code 73
以下是更新完OPatch的安装过程
[oracle@orcl11204 ~]$ ls
20299013 database p20299013_112040_Linux-x86-64.zip p6880880_112000_Linux-x86-64.zip PatchSearch.xml
[oracle@orcl11204 ~]$ mv p6880880_112000_Linux-x86-64.zip $ORACLE_HOME
[oracle@orcl11204 ~]$ cd $ORACLE_HOME
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ mv OPatch OPatch11204bak
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch11204bak plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ unzip p6880880_112000_Linux-x86-64.zip
Archive: p6880880_112000_Linux-x86-64.zip
creating: OPatch/
inflating: OPatch/operr.bat
inflating: OPatch/opatch.bat
creating: OPatch/crs/
inflating: OPatch/crs/OsysModel.jar
inflating: OPatch/crs/installPatch.excl
inflating: OPatch/crs/patchDB.pl
inflating: OPatch/crs/CRSProductDriver.jar
inflating: OPatch/crs/patch112.pl
inflating: OPatch/crs/auto_patch.pl
inflating: OPatch/crs/opatchauto
creating: OPatch/crs/log/
inflating: OPatch/crs/patch11203.pl
inflating: OPatch/crs/driver.jar
inflating: OPatch/crs/patch11202.pl
inflating: OPatch/emdpatch.pl
inflating: OPatch/README.txt
creating: OPatch/docs/
inflating: OPatch/docs/Users_Guide.txt
inflating: OPatch/docs/Prereq_Users_Guide.txt
inflating: OPatch/docs/cversion.txt
inflating: OPatch/docs/FAQ
extracting: OPatch/version.txt
creating: OPatch/opatchprereqs/
creating: OPatch/opatchprereqs/oui/
inflating: OPatch/opatchprereqs/oui/knowledgesrc.xml
creating: OPatch/opatchprereqs/opatch/
inflating: OPatch/opatchprereqs/opatch/opatch_prereq.xml
inflating: OPatch/opatchprereqs/opatch/rulemap.xml
inflating: OPatch/opatchprereqs/opatch/runtime_prereq.xml
inflating: OPatch/opatchprereqs/prerequisite.properties
creating: OPatch/opatchauto-dir/
creating: OPatch/opatchauto-dir/opatchautocore/
creating: OPatch/opatchauto-dir/opatchautocore/jlib/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ProductDriver.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oracle.oplan.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oplan_core.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/OsysModel.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/automation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/patchsdk.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/activation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/osysmodel-utils.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/bundle.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/Validation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ValidationRules.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/com.oracle.glcm.common-logging_1.0.0.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/oplan
inflating: OPatch/opatchauto-dir/opatchautocore/oplan.bat
inflating: OPatch/opatchauto-dir/opatchautocore/README.txt
inflating: OPatch/opatchauto-dir/opatchautocore/README.html
inflating: OPatch/opatchauto-dir/opatchautocore/opatchautobinary
creating: OPatch/opatchauto-dir/opatchautodb/
creating: OPatch/opatchauto-dir/opatchautodb/jlib/
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oracle.oplan.db.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oplan_db.jar
creating: OPatch/jlib/
inflating: OPatch/jlib/oracle.opatch.classpath.jar
inflating: OPatch/jlib/opatch.jar
inflating: OPatch/jlib/opatchsdk.jar
inflating: OPatch/jlib/oracle.opatch.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.unix.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatch.classpath.unix.jar
creating: OPatch/scripts/
inflating: OPatch/scripts/opatch_wls
inflating: OPatch/scripts/opatch_jvm_discovery.bat
inflating: OPatch/scripts/opatch_wls.bat
inflating: OPatch/scripts/opatch_jvm_discovery
creating: OPatch/oplan/
inflating: OPatch/oplan/oplan.bat
creating: OPatch/oplan/jlib/
creating: OPatch/oplan/jlib/jaxb/
inflating: OPatch/oplan/jlib/jaxb/activation.jar
inflating: OPatch/oplan/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-api.jar
inflating: OPatch/oplan/jlib/OsysModel.jar
inflating: OPatch/oplan/jlib/JMXDrivers.jar
inflating: OPatch/oplan/jlib/Validation.jar
inflating: OPatch/oplan/jlib/automation.jar
inflating: OPatch/oplan/jlib/bundle.jar
inflating: OPatch/oplan/jlib/oplan.jar
inflating: OPatch/oplan/jlib/CRSProductDriver.jar
inflating: OPatch/oplan/jlib/OuiDriver.jar
inflating: OPatch/oplan/jlib/oracle.oplan.classpath.jar
inflating: OPatch/oplan/jlib/patchsdk.jar
inflating: OPatch/oplan/jlib/osysmodel-utils.jar
inflating: OPatch/oplan/jlib/ValidationRules.jar
creating: OPatch/oplan/jlib/apache-commons/
inflating: OPatch/oplan/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/oplan/jlib/EMrepoDrivers.jar
inflating: OPatch/oplan/README.html
inflating: OPatch/oplan/oplan
inflating: OPatch/oplan/README.txt
inflating: OPatch/operr
inflating: OPatch/opatch
inflating: OPatch/opatchdiag.bat
inflating: OPatch/operr_readme.txt
inflating: OPatch/opatchdiag
inflating: OPatch/opatch.pl
creating: OPatch/ocm/
creating: OPatch/ocm/lib/
inflating: OPatch/ocm/lib/emocmclnt.jar
inflating: OPatch/ocm/lib/log4j-core.jar
inflating: OPatch/ocm/lib/regexp.jar
inflating: OPatch/ocm/lib/emocmcommon.jar
inflating: OPatch/ocm/lib/osdt_core3.jar
inflating: OPatch/ocm/lib/jsse.jar
inflating: OPatch/ocm/lib/http_client.jar
inflating: OPatch/ocm/lib/osdt_jce.jar
inflating: OPatch/ocm/lib/emocmclnt-14.jar
inflating: OPatch/ocm/lib/jnet.jar
inflating: OPatch/ocm/lib/jcert.jar
inflating: OPatch/ocm/lib/xmlparserv2.jar
extracting: OPatch/ocm/ocm.zip
creating: OPatch/ocm/bin/
inflating: OPatch/ocm/bin/emocmrsp
inflating: OPatch/ocm/ocm_platforms.txt
creating: OPatch/ocm/doc/
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch perl sqlplus
assistants cv ide lib OPatch11204bak plsql srvm
bin dbs install log opmn precomp suptools
ccr dc_ocm instantclient md oracore racg sysman
cdata deinstall inventory mesg oraInst.loc rdbms timingframework
cfgtoollogs demo j2ee mgw orcl11204_db11204 relnotes ucp
clone diagnostics javavm network ord root.sh uix
config dv jdbc nls oui scheduler usm
crs emcli jdev oc4j owb slax utl
csmig EMStage jdk odbc owm sqldeveloper wwg
css has jlib olap p6880880_112000_Linux-x86-64.zip sqlj xdk
[oracle@orcl11204 20299013]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-52-51PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
Verifying environment and performing prerequisite checks...
OPatch continues with these patches: 17478514 18031668 18522509 19121551 19769489 20299013
Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit http://www.oracle.com/support/policies.html for details.
Email address/User Name:
You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/opt/oracle/product/11.2.0.4/db')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...
Applying sub-patch '17478514' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sdo, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.sdo.locator, 11.2.0.4.0...
Patching component oracle.nlsrtl.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18031668' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.ldap.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.crs, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ldap.rsf.ic, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18522509' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19121551' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.ordim.client, 11.2.0.4.0...
Patching component oracle.ordim.jai, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19769489' to OH '/opt/oracle/product/11.2.0.4/db'
ApplySession: Optional component(s) [ oracle.sysman.agent, 11.2.0.4.0 ] not present in the Oracle Home or a higher version is found.
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ovm, 11.2.0.4.0...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.util, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.oraolap, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '20299013' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.dv, 11.2.0.4.0...
Patching component oracle.rdbms.oci, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.sysman.common, 10.2.0.4.5...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sysman.common.core, 10.2.0.4.5...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Composite patch 20299013 successfully applied.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch lsinventory
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_19-07-44PM_1.log
Lsinventory Output file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/lsinv/lsinventory2015-06-29_19-07-44PM.txt
--------------------------------------------------------------------------------
Local Machine Information::
Hostname: orcl11204
ARU platform id: 226
ARU platform description:: Linux x86-64
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.4.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 20299013 : applied on Mon Jun 29 19:00:43 CST 2015
Unique Patch ID: 18573940
Patch description: "Database Patch Set Update : 11.2.0.4.6 (20299013)"
Created on 4 Mar 2015, 02:27:44 hrs PST8PDT
Sub-patch 19769489; "Database Patch Set Update : 11.2.0.4.5 (19769489)"
Sub-patch 19121551; "Database Patch Set Update : 11.2.0.4.4 (19121551)"
Sub-patch 18522509; "Database Patch Set Update : 11.2.0.4.3 (18522509)"
Sub-patch 18031668; "Database Patch Set Update : 11.2.0.4.2 (18031668)"
Sub-patch 17478514; "Database Patch Set Update : 11.2.0.4.1 (17478514)"
Bugs fixed:
17288409, 17798953, 18273830, 18607546, 17811429, 17205719, 20506699
17816865, 19972566, 17922254, 17754782, 16384983, 17726838, 13364795
16934803, 17311728, 17284817, 17441661, 17360606, 13645875, 18199537
16992075, 16542886, 17446237, 14015842, 17889549, 14565184, 19972569
17071721, 20299015, 17610798, 17375354, 17449815, 17397545, 19463897
18230522, 13866822, 17235750, 17982555, 16360112, 18317531, 17478514
19769489, 12905058, 14338435, 18235390, 13944971, 18641451, 20142975
17811789, 16929165, 18704244, 12747740, 18430495, 20506706, 17546973
14054676, 17088068, 17346091, 18264060, 17016369, 17042658, 17343514
14602788, 19972568, 19680952, 18471685, 19788842, 18508861, 14657740
17332800, 19211724, 13837378, 13951456, 16315398, 17186905, 18744139
19972564, 16850630, 18315328, 17437634, 19049453, 18673304, 17883081
19006849, 19915271, 19013183, 18641419, 17296856, 18674024, 18262334
17006183, 18277454, 16833527, 17232014, 16855292, 10136473, 17762296
14692762, 17705023, 18051556, 17865671, 17852463, 18554871, 17853498
19121551, 18334586, 19854503, 17551709, 19309466, 17588480, 19827973
17344412, 17842825, 18828868, 18681862, 18554763, 17390160, 18456514
16306373, 17025461, 13955826, 18139690, 11883252, 13609098, 17501491
17239687, 17752121, 17299889, 17602269, 19197175, 17889583, 18316692
17313525, 18673325, 12611721, 19544839, 18293054, 17242746, 18964939
17600719, 18191164, 19393542, 17571306, 18482502, 19466309, 17951233
17649265, 18094246, 19615136, 17040527, 17011832, 17165204, 18098207
16785708, 16870214, 17465741, 16180763, 17174582, 17477958, 12982566
16777840, 18522509, 20631274, 16091637, 17323222, 19463893, 16595641
16875449, 12816846, 16524926, 17237521, 18228645, 18282562, 17596908
19358317, 17811438, 17811447, 17945983, 18762750, 17156148, 18031668
16912439, 17184721, 16494615, 18061914, 17282229, 17545847, 18331850
18202441, 17082359, 18723434, 19554106, 17614134, 13558557, 17341326
14034426, 17891946, 18339044, 17716305, 19458377, 17752995, 16392068
19271443, 17891943, 18092127, 17258090, 17767676, 16668584, 18384391
17614227, 17040764, 16903536, 17381384, 14106803, 15913355, 18973907
18356166, 18673342, 17389192, 14084247, 16194160, 17612828, 17006570
20506715, 17721717, 13853126, 17390431, 18203837, 17570240, 14245531
16043574, 16863422, 17848897, 17877323, 18325460, 19727057, 17468141
17786518, 17912217, 16422541, 19972570, 17267114, 17037130, 18244962
18765602, 18203838, 18155762, 16956380, 16198143, 17246576, 17478145
17394950, 14829250, 18189036, 18641461, 18619917, 17835627, 17027426
16268425, 18247991, 19584068, 14458214, 18436307, 17265217, 17634921
13498382, 16692232, 17786278, 17227277, 16042673, 16314254, 17443671
18000422, 16228604, 16837842, 17571039, 17393683, 16344544, 17787259
18009564, 20074391, 14354737, 15861775, 18135678, 18614015, 16399083
18362222, 18018515, 16472716, 17835048, 17050888, 17936109, 14010183
17325413, 18747196, 17080436, 16613964, 17036973, 17761775, 16579084
16721594, 17082983, 18384537, 18280813, 20296213, 17302277, 16901385
18084625, 15979965, 15990359, 18203835, 17297939, 17811456, 16731148
13829543, 14133975, 17215560, 17694209, 18091059, 17385178, 8322815
17586955, 18441944, 17201159, 16450169, 9756271, 17655634, 19730508
17892268, 18868646, 17648596, 16220077, 16069901, 11733603, 16285691
17587063, 18180390, 16538760, 18193833, 17348614, 17393915, 17957017
17274537, 18096714, 17308789, 17238511, 18436647, 17824637, 14285317
19289642, 14764829, 17622427, 18328509, 16571443, 16943711, 14368995
18306996, 17346671, 14852021, 18996843, 17783588, 16618694, 17853456
18674047, 17672719, 18856999, 12364061, 18783224, 17851160, 17546761
--------------------------------------------------------------------------------
OPatch succeeded.
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 19:08:09 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 726540288 bytes
Fixed Size 2256792 bytes
Variable Size 478150760 bytes
Database Buffers 243269632 bytes
Redo Buffers 2863104 bytes
Database mounted.
Database opened.
SQL> conn test_update/test_update
Connected.
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10
where id = 1;
2 update (with tmp as (select id from test.t) select id from tmp) set id=10
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL>
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status'VALID';
no rows selected
到此高危漏洞集安装及安装后漏洞验证成功完成!
目的:使用oracle自带工具opatch对oracle数据库软件应用高危漏洞补丁集PSU,修复oracle数据库高危漏洞,规避由于普通用户具有业务用户数据表的查询权限,
绕过数据库安全机制对业务用户数据表进行增、删、改操作的隐患。
风险:
1、本次整改中需要启停数据库
2、对 ORACLE数据库应用 PSU补丁集可能会引入新的 BUG
前期准备:
操作系统版本:
[oracle@orcl11204 20299013]$ uname -a
Linux orcl11204 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:41:04 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
OPatch软件客户端版本:
[oracle@orcl11204 20299013]$ export PATH=$ORACLE_HOME/OPatch:$PATH
[oracle@orcl11204 20299013]$opatch version
OPatch Version: 11.2.0.3.4
OPatch succeeded.
数据库版本:
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status'VALID';
no rows selected
准备高危漏洞补丁包
p20299013_112040_Linux-x86-64.zip(patch号参考文档 756671.1.html)
根据漏洞补丁集安装要求opatch的版本最低位11.2.0.3.6,因此需要准备
p6880880_112000_Linux-x86-64.zip
高危漏洞的模拟测试
[oracle@orcl11204]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>create user test identified by test;
user created.
SQL>grant dba to test;
Grant succeeded.
SQL>conn test/test
Connected.
SQL>create table t(id number);
Table created.
SQL>insert into t values(1); --插入5条
1 row created.
SQL>commit;
Commit complete.
[oracle@orcl11g database]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jun 10 13:43:22 2015
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create user test_update identified by test_update;
User created.
SQL> grant select on test.t to test_update;
Grant succeeded.
SQL> grant create session to test_update;
Grant succeeded.
SQL> conn test_update/test_update
Connected.
SQL> select count(*) from test.t;
COUNT(*)
----------
5
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10 where id = 1;
1 row updated.
SQL> commit;
Commit complete.
SQL> delete (with temp as (select * from test.t) select id from temp) where id = 2;
1 row deleted.
SQL> commit;
Commit complete.
SQL> insert into (with temp as (select * from test.t) select * from temp) select *
from test.t where id =1;
0 rows created.
SQL> commit;
Commit complete.
由上DML执行及结果部分可知,普通拥有对业务用户下表的查询权限可以通过构造临时表对业务数据表进
行DML操作,该漏洞很危险。
以下是漏洞补丁安装及补丁安装完毕后的验证:
关闭数据库实例及监听程序,如果EM开启,也要关闭EM
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 17:48:47 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> quit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
[oracle@orcl11204 20299013]$ lsnrctl statu
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 29-JUN-2015 17:50:59
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl11204)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production
Start Date 29-JUN-2015 16:51:52
Uptime 0 days 0 hr. 59 min. 7 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /opt/oracle/product/11.2.0.4/db/network/admin/listener.ora
Listener Log File /opt/oracle/diag/tnslsnr/orcl11204/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=orcl11204)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
根据readme的提示更新OPatch即将p6880880_112000_Linux-x86-64.zip上传解压并替换$ORACLE_HOME下的OPatch,注意先备份原有的OPatch以方便回退还原
[oracle@orcl11204 ~]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
根据readme的提示先做安装前的预检,注意如果没有更新OPatch,预检能够通过,但是应用补丁集的时候会报错退出
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-46-33PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ ps -ef|grep ora_
oracle 1757 24201 0 17:51 pts/2 00:00:00 grep ora_
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.4
Copyright (c) 2012, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.4
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
Verifying environment and performing prerequisite checks...
Prerequisite check "CheckMinimumOPatchVersion" failed.
The details are:
The OPatch being used has version 11.2.0.3.4 while the following patch(es) require higher versions:
Patch 17478514 requires OPatch version 11.2.0.3.5.
Patch 18031668 requires OPatch version 11.2.0.3.5.
Patch 18522509 requires OPatch version 11.2.0.3.5.
Patch 19121551 requires OPatch version 11.2.0.3.5.
Patch 19769489 requires OPatch version 11.2.0.3.5.
Patch 20299013 requires OPatch version 11.2.0.3.5.
Please download latest OPatch from My Oracle Support.
UtilSession failed: Prerequisite check "CheckMinimumOPatchVersion" failed.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_17-51-23PM_1.log
OPatch failed with error code 73
以下是更新完OPatch的安装过程
[oracle@orcl11204 ~]$ ls
20299013 database p20299013_112040_Linux-x86-64.zip p6880880_112000_Linux-x86-64.zip PatchSearch.xml
[oracle@orcl11204 ~]$ mv p6880880_112000_Linux-x86-64.zip $ORACLE_HOME
[oracle@orcl11204 ~]$ cd $ORACLE_HOME
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ mv OPatch OPatch11204bak
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch11204bak plsql srvm
assistants cv ide lib opmn precomp suptools
bin dbs install log oracore racg sysman
ccr dc_ocm instantclient md oraInst.loc rdbms timingframework
cdata deinstall inventory mesg orcl11204_db11204 relnotes ucp
cfgtoollogs demo j2ee mgw ord root.sh uix
clone diagnostics javavm network oui scheduler usm
config dv jdbc nls owb slax utl
crs emcli jdev oc4j owm sqldeveloper wwg
csmig EMStage jdk odbc p6880880_112000_Linux-x86-64.zip sqlj xdk
css has jlib olap perl sqlplus
[oracle@orcl11204 db]$ unzip p6880880_112000_Linux-x86-64.zip
Archive: p6880880_112000_Linux-x86-64.zip
creating: OPatch/
inflating: OPatch/operr.bat
inflating: OPatch/opatch.bat
creating: OPatch/crs/
inflating: OPatch/crs/OsysModel.jar
inflating: OPatch/crs/installPatch.excl
inflating: OPatch/crs/patchDB.pl
inflating: OPatch/crs/CRSProductDriver.jar
inflating: OPatch/crs/patch112.pl
inflating: OPatch/crs/auto_patch.pl
inflating: OPatch/crs/opatchauto
creating: OPatch/crs/log/
inflating: OPatch/crs/patch11203.pl
inflating: OPatch/crs/driver.jar
inflating: OPatch/crs/patch11202.pl
inflating: OPatch/emdpatch.pl
inflating: OPatch/README.txt
creating: OPatch/docs/
inflating: OPatch/docs/Users_Guide.txt
inflating: OPatch/docs/Prereq_Users_Guide.txt
inflating: OPatch/docs/cversion.txt
inflating: OPatch/docs/FAQ
extracting: OPatch/version.txt
creating: OPatch/opatchprereqs/
creating: OPatch/opatchprereqs/oui/
inflating: OPatch/opatchprereqs/oui/knowledgesrc.xml
creating: OPatch/opatchprereqs/opatch/
inflating: OPatch/opatchprereqs/opatch/opatch_prereq.xml
inflating: OPatch/opatchprereqs/opatch/rulemap.xml
inflating: OPatch/opatchprereqs/opatch/runtime_prereq.xml
inflating: OPatch/opatchprereqs/prerequisite.properties
creating: OPatch/opatchauto-dir/
creating: OPatch/opatchauto-dir/opatchautocore/
creating: OPatch/opatchauto-dir/opatchautocore/jlib/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ProductDriver.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oracle.oplan.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/oplan_core.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/OsysModel.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/automation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/patchsdk.jar
creating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jaxb-api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/jaxb/activation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/osysmodel-utils.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/bundle.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/Validation.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/ValidationRules.jar
inflating: OPatch/opatchauto-dir/opatchautocore/jlib/com.oracle.glcm.common-logging_1.0.0.0.jar
inflating: OPatch/opatchauto-dir/opatchautocore/oplan
inflating: OPatch/opatchauto-dir/opatchautocore/oplan.bat
inflating: OPatch/opatchauto-dir/opatchautocore/README.txt
inflating: OPatch/opatchauto-dir/opatchautocore/README.html
inflating: OPatch/opatchauto-dir/opatchautocore/opatchautobinary
creating: OPatch/opatchauto-dir/opatchautodb/
creating: OPatch/opatchauto-dir/opatchautodb/jlib/
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oracle.oplan.db.classpath.jar
inflating: OPatch/opatchauto-dir/opatchautodb/jlib/oplan_db.jar
creating: OPatch/jlib/
inflating: OPatch/jlib/oracle.opatch.classpath.jar
inflating: OPatch/jlib/opatch.jar
inflating: OPatch/jlib/opatchsdk.jar
inflating: OPatch/jlib/oracle.opatch.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.unix.jar
inflating: OPatch/jlib/oracle.opatchcore.classpath.windows.jar
inflating: OPatch/jlib/oracle.opatch.classpath.unix.jar
creating: OPatch/scripts/
inflating: OPatch/scripts/opatch_wls
inflating: OPatch/scripts/opatch_jvm_discovery.bat
inflating: OPatch/scripts/opatch_wls.bat
inflating: OPatch/scripts/opatch_jvm_discovery
creating: OPatch/oplan/
inflating: OPatch/oplan/oplan.bat
creating: OPatch/oplan/jlib/
creating: OPatch/oplan/jlib/jaxb/
inflating: OPatch/oplan/jlib/jaxb/activation.jar
inflating: OPatch/oplan/jlib/jaxb/jsr173_1.0_api.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-impl.jar
inflating: OPatch/oplan/jlib/jaxb/jaxb-api.jar
inflating: OPatch/oplan/jlib/OsysModel.jar
inflating: OPatch/oplan/jlib/JMXDrivers.jar
inflating: OPatch/oplan/jlib/Validation.jar
inflating: OPatch/oplan/jlib/automation.jar
inflating: OPatch/oplan/jlib/bundle.jar
inflating: OPatch/oplan/jlib/oplan.jar
inflating: OPatch/oplan/jlib/CRSProductDriver.jar
inflating: OPatch/oplan/jlib/OuiDriver.jar
inflating: OPatch/oplan/jlib/oracle.oplan.classpath.jar
inflating: OPatch/oplan/jlib/patchsdk.jar
inflating: OPatch/oplan/jlib/osysmodel-utils.jar
inflating: OPatch/oplan/jlib/ValidationRules.jar
creating: OPatch/oplan/jlib/apache-commons/
inflating: OPatch/oplan/jlib/apache-commons/commons-cli-1.0.jar
inflating: OPatch/oplan/jlib/EMrepoDrivers.jar
inflating: OPatch/oplan/README.html
inflating: OPatch/oplan/oplan
inflating: OPatch/oplan/README.txt
inflating: OPatch/operr
inflating: OPatch/opatch
inflating: OPatch/opatchdiag.bat
inflating: OPatch/operr_readme.txt
inflating: OPatch/opatchdiag
inflating: OPatch/opatch.pl
creating: OPatch/ocm/
creating: OPatch/ocm/lib/
inflating: OPatch/ocm/lib/emocmclnt.jar
inflating: OPatch/ocm/lib/log4j-core.jar
inflating: OPatch/ocm/lib/regexp.jar
inflating: OPatch/ocm/lib/emocmcommon.jar
inflating: OPatch/ocm/lib/osdt_core3.jar
inflating: OPatch/ocm/lib/jsse.jar
inflating: OPatch/ocm/lib/http_client.jar
inflating: OPatch/ocm/lib/osdt_jce.jar
inflating: OPatch/ocm/lib/emocmclnt-14.jar
inflating: OPatch/ocm/lib/jnet.jar
inflating: OPatch/ocm/lib/jcert.jar
inflating: OPatch/ocm/lib/xmlparserv2.jar
extracting: OPatch/ocm/ocm.zip
creating: OPatch/ocm/bin/
inflating: OPatch/ocm/bin/emocmrsp
inflating: OPatch/ocm/ocm_platforms.txt
creating: OPatch/ocm/doc/
[oracle@orcl11204 db]$ ls
apex ctx hs ldap OPatch perl sqlplus
assistants cv ide lib OPatch11204bak plsql srvm
bin dbs install log opmn precomp suptools
ccr dc_ocm instantclient md oracore racg sysman
cdata deinstall inventory mesg oraInst.loc rdbms timingframework
cfgtoollogs demo j2ee mgw orcl11204_db11204 relnotes ucp
clone diagnostics javavm network ord root.sh uix
config dv jdbc nls oui scheduler usm
crs emcli jdev oc4j owb slax utl
csmig EMStage jdk odbc owm sqldeveloper wwg
css has jlib olap p6880880_112000_Linux-x86-64.zip sqlj xdk
[oracle@orcl11204 20299013]$ opatch version
OPatch Version: 11.2.0.3.11
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch prereq CheckConflictAgainstOHWithDetail -ph ./
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
PREREQ session
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-52-51PM_1.log
Invoking prereq "checkconflictagainstohwithdetail"
Prereq "checkConflictAgainstOHWithDetail" passed.
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch apply
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
Verifying environment and performing prerequisite checks...
OPatch continues with these patches: 17478514 18031668 18522509 19121551 19769489 20299013
Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit http://www.oracle.com/support/policies.html for details.
Email address/User Name:
You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]: y
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/opt/oracle/product/11.2.0.4/db')
Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...
Applying sub-patch '17478514' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sdo, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.sdo.locator, 11.2.0.4.0...
Patching component oracle.nlsrtl.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18031668' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.ldap.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.crs, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ldap.rsf.ic, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '18522509' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19121551' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.ordim.client, 11.2.0.4.0...
Patching component oracle.ordim.jai, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '19769489' to OH '/opt/oracle/product/11.2.0.4/db'
ApplySession: Optional component(s) [ oracle.sysman.agent, 11.2.0.4.0 ] not present in the Oracle Home or a higher version is found.
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.ovm, 11.2.0.4.0...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.rdbms.util, 11.2.0.4.0...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.oraolap, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Applying sub-patch '20299013' to OH '/opt/oracle/product/11.2.0.4/db'
Patching component oracle.rdbms.dv, 11.2.0.4.0...
Patching component oracle.rdbms.oci, 11.2.0.4.0...
Patching component oracle.precomp.common, 11.2.0.4.0...
Patching component oracle.sysman.agent, 10.2.0.4.5...
Patching component oracle.xdk, 11.2.0.4.0...
Patching component oracle.sysman.common, 10.2.0.4.5...
Patching component oracle.rdbms, 11.2.0.4.0...
Patching component oracle.rdbms.dbscripts, 11.2.0.4.0...
Patching component oracle.xdk.parser.java, 11.2.0.4.0...
Patching component oracle.sysman.console.db, 11.2.0.4.0...
Patching component oracle.xdk.rsf, 11.2.0.4.0...
Patching component oracle.rdbms.rsf, 11.2.0.4.0...
Patching component oracle.sysman.common.core, 10.2.0.4.5...
Patching component oracle.rdbms.rman, 11.2.0.4.0...
Patching component oracle.rdbms.deconfig, 11.2.0.4.0...
Verifying the update...
Composite patch 20299013 successfully applied.
Log file location: /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_18-53-23PM_1.log
OPatch succeeded.
[oracle@orcl11204 20299013]$ opatch lsinventory
Oracle Interim Patch Installer version 11.2.0.3.11
Copyright (c) 2015, Oracle Corporation. All rights reserved.
Oracle Home : /opt/oracle/product/11.2.0.4/db
Central Inventory : /opt/oraInventory
from : /opt/oracle/product/11.2.0.4/db/oraInst.loc
OPatch version : 11.2.0.3.11
OUI version : 11.2.0.4.0
Log file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/opatch2015-06-29_19-07-44PM_1.log
Lsinventory Output file location : /opt/oracle/product/11.2.0.4/db/cfgtoollogs/opatch/lsinv/lsinventory2015-06-29_19-07-44PM.txt
--------------------------------------------------------------------------------
Local Machine Information::
Hostname: orcl11204
ARU platform id: 226
ARU platform description:: Linux x86-64
Installed Top-level Products (1):
Oracle Database 11g 11.2.0.4.0
There are 1 products installed in this Oracle Home.
Interim patches (1) :
Patch 20299013 : applied on Mon Jun 29 19:00:43 CST 2015
Unique Patch ID: 18573940
Patch description: "Database Patch Set Update : 11.2.0.4.6 (20299013)"
Created on 4 Mar 2015, 02:27:44 hrs PST8PDT
Sub-patch 19769489; "Database Patch Set Update : 11.2.0.4.5 (19769489)"
Sub-patch 19121551; "Database Patch Set Update : 11.2.0.4.4 (19121551)"
Sub-patch 18522509; "Database Patch Set Update : 11.2.0.4.3 (18522509)"
Sub-patch 18031668; "Database Patch Set Update : 11.2.0.4.2 (18031668)"
Sub-patch 17478514; "Database Patch Set Update : 11.2.0.4.1 (17478514)"
Bugs fixed:
17288409, 17798953, 18273830, 18607546, 17811429, 17205719, 20506699
17816865, 19972566, 17922254, 17754782, 16384983, 17726838, 13364795
16934803, 17311728, 17284817, 17441661, 17360606, 13645875, 18199537
16992075, 16542886, 17446237, 14015842, 17889549, 14565184, 19972569
17071721, 20299015, 17610798, 17375354, 17449815, 17397545, 19463897
18230522, 13866822, 17235750, 17982555, 16360112, 18317531, 17478514
19769489, 12905058, 14338435, 18235390, 13944971, 18641451, 20142975
17811789, 16929165, 18704244, 12747740, 18430495, 20506706, 17546973
14054676, 17088068, 17346091, 18264060, 17016369, 17042658, 17343514
14602788, 19972568, 19680952, 18471685, 19788842, 18508861, 14657740
17332800, 19211724, 13837378, 13951456, 16315398, 17186905, 18744139
19972564, 16850630, 18315328, 17437634, 19049453, 18673304, 17883081
19006849, 19915271, 19013183, 18641419, 17296856, 18674024, 18262334
17006183, 18277454, 16833527, 17232014, 16855292, 10136473, 17762296
14692762, 17705023, 18051556, 17865671, 17852463, 18554871, 17853498
19121551, 18334586, 19854503, 17551709, 19309466, 17588480, 19827973
17344412, 17842825, 18828868, 18681862, 18554763, 17390160, 18456514
16306373, 17025461, 13955826, 18139690, 11883252, 13609098, 17501491
17239687, 17752121, 17299889, 17602269, 19197175, 17889583, 18316692
17313525, 18673325, 12611721, 19544839, 18293054, 17242746, 18964939
17600719, 18191164, 19393542, 17571306, 18482502, 19466309, 17951233
17649265, 18094246, 19615136, 17040527, 17011832, 17165204, 18098207
16785708, 16870214, 17465741, 16180763, 17174582, 17477958, 12982566
16777840, 18522509, 20631274, 16091637, 17323222, 19463893, 16595641
16875449, 12816846, 16524926, 17237521, 18228645, 18282562, 17596908
19358317, 17811438, 17811447, 17945983, 18762750, 17156148, 18031668
16912439, 17184721, 16494615, 18061914, 17282229, 17545847, 18331850
18202441, 17082359, 18723434, 19554106, 17614134, 13558557, 17341326
14034426, 17891946, 18339044, 17716305, 19458377, 17752995, 16392068
19271443, 17891943, 18092127, 17258090, 17767676, 16668584, 18384391
17614227, 17040764, 16903536, 17381384, 14106803, 15913355, 18973907
18356166, 18673342, 17389192, 14084247, 16194160, 17612828, 17006570
20506715, 17721717, 13853126, 17390431, 18203837, 17570240, 14245531
16043574, 16863422, 17848897, 17877323, 18325460, 19727057, 17468141
17786518, 17912217, 16422541, 19972570, 17267114, 17037130, 18244962
18765602, 18203838, 18155762, 16956380, 16198143, 17246576, 17478145
17394950, 14829250, 18189036, 18641461, 18619917, 17835627, 17027426
16268425, 18247991, 19584068, 14458214, 18436307, 17265217, 17634921
13498382, 16692232, 17786278, 17227277, 16042673, 16314254, 17443671
18000422, 16228604, 16837842, 17571039, 17393683, 16344544, 17787259
18009564, 20074391, 14354737, 15861775, 18135678, 18614015, 16399083
18362222, 18018515, 16472716, 17835048, 17050888, 17936109, 14010183
17325413, 18747196, 17080436, 16613964, 17036973, 17761775, 16579084
16721594, 17082983, 18384537, 18280813, 20296213, 17302277, 16901385
18084625, 15979965, 15990359, 18203835, 17297939, 17811456, 16731148
13829543, 14133975, 17215560, 17694209, 18091059, 17385178, 8322815
17586955, 18441944, 17201159, 16450169, 9756271, 17655634, 19730508
17892268, 18868646, 17648596, 16220077, 16069901, 11733603, 16285691
17587063, 18180390, 16538760, 18193833, 17348614, 17393915, 17957017
17274537, 18096714, 17308789, 17238511, 18436647, 17824637, 14285317
19289642, 14764829, 17622427, 18328509, 16571443, 16943711, 14368995
18306996, 17346671, 14852021, 18996843, 17783588, 16618694, 17853456
18674047, 17672719, 18856999, 12364061, 18783224, 17851160, 17546761
--------------------------------------------------------------------------------
OPatch succeeded.
[oracle@orcl11204 20299013]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 29 19:08:09 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 726540288 bytes
Fixed Size 2256792 bytes
Variable Size 478150760 bytes
Database Buffers 243269632 bytes
Redo Buffers 2863104 bytes
Database mounted.
Database opened.
SQL> conn test_update/test_update
Connected.
SQL> update (with tmp as (select id from test.t) select id from tmp) set id=10
where id = 1;
2 update (with tmp as (select id from test.t) select id from tmp) set id=10
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL>
SQL> select ACTION_TIME, ACTION, COMMENTS from sys.DBA_REGISTRY_HISTORY;
ACTION_TIME ACTION COMMENTS
------------------------------ -------------------- ------------------------------
24-AUG-13 12.03.45.119862 PM APPLY Patchset 11.2.0.2.0
29-JUN-15 05.15.49.338988 PM APPLY Patchset 11.2.0.2.0
SQL> select count(*) from dba_objects where status'VALID';
COUNT(*)
----------
0
SQL>select object_name,object_type,owner,status
from dba_objects where status'VALID';
no rows selected
到此高危漏洞集安装及安装后漏洞验证成功完成!