Patching the Java JDK in ORACLE_HOME


Updated on 19 May 2020 to update links and references at My Oracle Support.

Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”

It is a fair question given how security conscious we are these days, and my automatic answer – up until now – was always, “It is embedded as-is by Oracle and I can’t alter it without voiding our support agreement,” or, “it doesn’t support any networked services or user facing functionality, only admin-level configuration tools, so it isn’t really a risk.”

Over the last year or two however, the corporate security types decided that they didn’t care about all that, or the fact that Oracle didn’t offer separate patches. We started to get dinged frequently on security scans for not having the latest Java versions installed. All of that changed this year, when I discovered that Oracle has finally released a series of supported instructions to do exactly that: update the Java JDK embedded in an Oracle Home directory as a part of the normal quarterly patch set update cycle.

First Oracle layed out an overview of supported update paths in My Oracle Support (MOS) Doc ID 1449674.1 (no longer available), which stated essentially that it is ok to make minor release updates to the embedded JDK, say from Java 7 update 181 to Java 7 update 191, but not major release updates as from Java 7 to Java 8. The only exceptions to this are for Oracle 11.2.0.4, which shipped originally with a Java 1.5 JDK, and Oracle 12.1.0.2, which shipped with a Java 1.6 JDK.

  • MOS Doc ID 2366614.1 identifies a one-off patch (25803774) that will upgrade the JDK installed with 11.2.0.4 from Java 5 to Java 7, after which it can be updated with the latest Java 7 JDK minor releases.
  • MOS Doc ID 27301652 identifies a one-off patch (27301652) that will upgrade the JDK installed with 12.1.0.2 from Java 6 to Java 7, after which it can be updated with the latest Java 7 JDK minor releases.

By default, the following Java JDK major versions were shipped with each Oracle database version:

  • Oracle 11.2.0.4:                 Java 5 (updated to Java 7 with patch 25803774)
  • Oracle 12.1.0.2:                 Java 6 (updated to Java 7 with patch 27301652)
  • Oracle 12.2.0.1:                 Java 8
  • Oracle 18c:                  Java 8
  • Oracle 19c:                 Java 8

You can confirm which version of the Java JDK your Oracle Home is using with the following command:

$ORACLE_HOME/jdk/bin/java -version

Once your Oracle Home directory is confirmed as using JDK version 7 or 8, you can use MOS Doc ID 2584628.1 to identify the latest JDK updates for each major release available for download from My Oracle Support. Note that this document also lists a one-time Perl patch for install on all 11g, 12c, and 18c releases.

With this development, there are now a minimum of three patches which should be installed in a database Oracle Home directory each quarter:

  1. the Database Patch Set Update (PSU)
  2. the Oracle Java Virtual Machine (OJVM) PSU
  3. the Java JDK PSU

It is important (and required for those of us who need to be mindful of being DISA STIG-compliant) to maintain all three patch sets for each Oracle Home to ensure all of the latest security fixes are in place.

10 thoughts on “Patching the Java JDK in ORACLE_HOME

  1. good article. I recently found this gem JDK and PERL Patches for Oracle Database Home and Grid Home (Doc ID 2584628.1)
    I am surprised that this is not talked about more.

    Like

  2. Wanted to add that also you need to update the JRE under your Oracle OPatch utility also which is under $ORACLE_HOME/OPatch
    Regards,
    Emad Al-Mousa

    Like

  3. Great article! MOS Doc IDs 2286866.1 and 1449674.1 are no longer available. Are there new doc IDs for these topics? I’m not finding any in my searches.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.