Updated on 19 May 2020 to update links and references at My Oracle Support.
Every once in a while over the years I have been asked, “Why don’t you patch the Java JDK included in an Oracle Home directory?”
It is a fair question given how security conscious we are these days, and my automatic answer – up until now – was always, “It is embedded as-is by Oracle and I can’t alter it without voiding our support agreement,” or, “it doesn’t support any networked services or user facing functionality, only admin-level configuration tools, so it isn’t really a risk.”
Over the last year or two however, the corporate security types decided that they didn’t care about all that, or the fact that Oracle didn’t offer separate patches. We started to get dinged frequently on security scans for not having the latest Java versions installed. All of that changed this year, when I discovered that Oracle has finally released a series of supported instructions to do exactly that: update the Java JDK embedded in an Oracle Home directory as a part of the normal quarterly patch set update cycle.
First Oracle layed out an overview of supported update paths in My Oracle Support (MOS) Doc ID 1449674.1 (no longer available), which stated essentially that it is ok to make minor release updates to the embedded JDK, say from Java 7 update 181 to Java 7 update 191, but not major release updates as from Java 7 to Java 8. The only exceptions to this are for Oracle 126.96.36.199, which shipped originally with a Java 1.5 JDK, and Oracle 188.8.131.52, which shipped with a Java 1.6 JDK.
- MOS Doc ID 2366614.1 identifies a one-off patch (25803774) that will upgrade the JDK installed with 184.108.40.206 from Java 5 to Java 7, after which it can be updated with the latest Java 7 JDK minor releases.
- MOS Doc ID 27301652 identifies a one-off patch (27301652) that will upgrade the JDK installed with 220.127.116.11 from Java 6 to Java 7, after which it can be updated with the latest Java 7 JDK minor releases.
By default, the following Java JDK major versions were shipped with each Oracle database version:
- Oracle 18.104.22.168: Java 5 (updated to Java 7 with patch 25803774)
- Oracle 22.214.171.124: Java 6 (updated to Java 7 with patch 27301652)
- Oracle 126.96.36.199: Java 8
- Oracle 18c: Java 8
- Oracle 19c: Java 8
You can confirm which version of the Java JDK your Oracle Home is using with the following command:
Once your Oracle Home directory is confirmed as using JDK version 7 or 8, you can use MOS Doc ID 2584628.1 to identify the latest JDK updates for each major release available for download from My Oracle Support. Note that this document also lists a one-time Perl patch for install on all 11g, 12c, and 18c releases.
With this development, there are now a minimum of three patches which should be installed in a database Oracle Home directory each quarter:
- the Database Patch Set Update (PSU)
- the Oracle Java Virtual Machine (OJVM) PSU
- the Java JDK PSU
It is important (and required for those of us who need to be mindful of being DISA STIG-compliant) to maintain all three patch sets for each Oracle Home to ensure all of the latest security fixes are in place.