New SPBAT Patching Tool for WebLogic Server 12.2.1.3, 12.2.1.4, and 14.1.1

Simplified CPU/PSU Patching for WebLogic Server 12.2.1 and 14.1.1

Understanding the CPU/PSU requirements for Oracle WebLogic Server Traditional approach of applying WebLogic Server PSU
Simplifying the download and installation process – Stack Patch Bundle Demonstration

 What is Critical Patch Update (CPU) ?

•   A Critical Patch Update is a collection of patches for multiple security vulnerabilities.
•   These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products.
•   These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory.
•   Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.
•   They are available to customers with valid support contracts.
•   They are released on the Tuesday closest to the 17th day of January, April, July andOctober.

Understanding the CPU/PSU requirements for Oracle WebLogic Server

 What is Patch Set Update (PSU) ?

 A PSU is a proactive patch with the following characteristics:  Cumulative

Quarterly schedule
Highly controlled and selected content
Includes CPU (Critical Patch Update) security fixes
Tested for both regressions and functional correctness
Follows the error correction policy of the Patch Set that the PSU is based on.

Traditional approach of applying WebLogic Server PSU

Traditional approach of applying WebLogic Server PSU

Identify the components installed and that need quarterly patching.

Built-in
(Always present) components

Generally updated quarterly

Sometimes updated quarterly

WLS OPatch Coherence Examples

ADR

JDK

WLS Java SE Installation Installation

Traditional approach of applying WebLogic Server PSU

Optional Components

 While installing WLS quarterly PSU it is important to know if you have optional components installed in your environment and to check if there was a quarterly CPU/PSU release for that component.

 The two optional components that can be installed with WLS are :

 WLS Samples/Examples
Not recommended for Production Installs
Recommended to apply SPU patches if Examples/Samples are present.

 ADR
Automatic Diagnostic Repository (ADR) is part of the Oracle Fusion Middleware Diagnostic

Framework. (native code)
Included in some, not all WLS installers
Recommended to apply ADR CPU patches if ADR is present

Traditional approach of applying WebLogic Server PSU

How to identify if Optional components are installed?

•   To find out what is currently installed, use the ORACLE_HOME/oui/bin/viewInventory.sh script (viewInventory.cmd on Windows) to obtain a list of all Distributions, Feature Sets, and Components.
•   ADR and SPU patch can only be installed in an environment that has ADR and Examples/Samples component installed.
•   When you try to install ADR or SPU patch in an environment which does not have these components installed then OPatch will exit with a warning.

Traditional approach of applying WebLogic Server PSU

Built-in / Always present components

 It is important to patch the following built-in (Always present) components shipped with WLS installation :

 JDK
 JDK fixes are cumulative any new bugs/security fixes will be included in the next minor build of JDK.
 Newer JDK builds are usually follow the quarterly CPU/PSU cycle and Oracle highly recommends to install it.

 OPatch
 OPatch is used to apply patches and newer patches may need the updated Opatch version, so it is

important to check the Opatch version before installing any PSU/CPU patch.  WLS

 WLS PSU is installed using OPatch tool and it is important to identify the minimum opatch version required to apply the WLS PSU. This information is available in the README document.

 Coherence
 Coherence patches are applied using OPatch tool. Coherence cumulative patch contains all fixes from

earlier Coherence cumulative patches and supersedes any installed earlier patch

Traditional approach of applying WebLogic Server PSU

Recommended steps to apply PSU and other component patches

1. Download the required PSU/CPU patches released for installed components :  JDK OPatch
    WLS PSU
    Coherence
    ADR
    WLS Samples/Examples
2. Shutdown all servers.
3. Install JDK updates
4. Upgrade Opatch tool
5. Apply WLS PSU
6. Apply Coherence patch using Opatch
7. Apply ADR patch using Opatch
8. Apply WLS Samples SPU patch using Opatch
9. Restart all servers.

Traditional approach of applying WebLogic Server PSU

Challenges?

 In the traditional approach of applying WLS PSU, it is important to identify the optional and built-in / Always present components in a WLS installation.

 It is also important to check if a new PSU/CPU was released for a particular component and then apply it if needed.

 Your environment may be vulnerable if you have just installed the WLS PSU and any of the components installed along with it is unpatched.

 In short, we must apply multiple CPU/PSU patches during every quarterly release cycle.

Simplifying the download and installation process – Stack Patch Bundle

Stack Patch Bundle (SPB)

Introduction

•   SPB is a single download patch that consists of all the PSU/CPU patches released for all the optional/built-in (Always present)components of a WLS installation.
•   A single command can be used to patch the entire WLS installation (with all its components).
•   It auto detects if an optional component is present in a WLS installation and patches it OR skips patching missing components. (like ADR or WLS Samples).

Stack Patch Bundle (SPB)

Recommended steps to apply SPB using OPatch tool

1. Download the following patches :  JDK

 A Single SPB Patch (This also contains the latest OPatch tool, but must be installed manually)

2. Shutdown all Servers and take a backup of entire ORACLE_HOME and CENTRAL INVENTORY directories.
3. Install JDK Update (check the minimum version required in SPB -> README.html)
4. Upgrade OPatch tool if required.
5. Apply SPB patch using OPatch tool.
6. Restart all servers.

6 downloads2 downloads
9 steps6 steps
More predictable, reliable and secure

Stack Patch Bundle (SPB)

Advantages of using SPB

•   A Single Zip file containing latest CPU/PSU patches for all WLS components.(Built-in/always present components + Optional components)
•   Single command to install all CPU/PSU patches
   Opatch napply -oh <ORACLE_HOME> -phBaseFile <patch_list_file>
   Note that JDK must be upgraded manually
   Latest version of OPatch is bundled with SPB but must be installed separately.
•   Applies patches in a sequence
•   Auto detects all the components installed in your environment andpatches it if required.
•   Appropriate handling
•   More Predictable, Reliable and Secure.

Stack Patch Bundle (SPB)

Steps to apply April 2021 SPB patch using OPatch tool

 Step1:
 Identify the ORACLE_HOME that is being patched and stop all the servers.
 Download the SPB patch
 Create a backup of the entire ORACLE_HOME and CENTRAL INVENTORY directories.

 Step2:
 Check the SPB -> README.html for the minimum and recommended JDK version

required to install SPB.
README.html also contains a KM/link to download the latest JDK build release.  Download and install the latest JDK build available.

Stack Patch Bundle (SPB)

Steps to apply April 2021 SPB patch using OPatch tool

 Step3:

•   Run “$ORACLE_HOME/OPatch/opatch version” command to identify the OPatch toolversion.
•   Check the SPB -> README.html file to identify the minimum OPatch version required toapply the SPB patch.
•   NOTE: Latest OPatch version is bundled in the SPB zip file, but it must be applied separately.
•   Upgrade OPatch tool if required.
•   Set the JAVA_HOME and ORACLE_HOME environment variables and unset theCLASSPATH and WEBLOGIC_CLASSPATH variables

Stack Patch Bundle (SPB)

Steps to apply April 2021 SPB patch using OPatch tool

 Step4:

UNIX:
cd WLS_SPB_<wls_version>.<VERSION>/binary_patches
<ORACLE_HOME>/OPatch/opatch napply -oh <ORACLE_HOME> -phBaseFile <patch_list_file>

 WINDOWS :

cd WLS_SPB_<wls_version>.<VERSION>\binary_patches

<ORACLE_HOME>\OPatch\opatch napply -oh <ORACLE_HOME> -phBaseFile windows64_patchlist.txt

Stack Patch Bundle (SPB)

Steps to apply April 2021 SPB patch using OPatch tool

 <os>_patchlist.txt files are bundled with SPB and are present in binary_patches directory.  Example :

[oracle@celvpvm04874 binary_patches]$ pwd /refresh/home/Downloads/SPB/WLS_SPB_12.2.1.4.210411/binary_patches

[oracle@celvpvm04874 binary_patches]$ cat solaris_sparc64_patchlist.txt

adr/solaris_sparc64/p32647448_122140_SOLARIS64.zip

wls/generic/p32698246_122140_Generic.zip coherence/generic/p32581859_122140_Generic.zip samples/generic/p32148640_122140_Generic.zip

Stack Patch Bundle (SPB)

Check for possible SPB patching related errors

 Note that you can optionally run the “opatch napply -report “ command to check for possible issues while applying SPB and you could also analyze the logs generated for any errors.

 No changes are made to your Oracle_Home while running the “opatch -report” command even though the command output may say that patches were successfully applied.

 cd WLS_SPB_<wls_version>.<VERSION>/binary_patches
 <ORACLE_HOME>/OPatch/opatch napply -report -oh <ORACLE_HOME> -phBaseFile

 Step1:

•   tar -cf oraInventory_April21backup.tar oraInventory/*
•   tar -cf Oracle_Home_lite_April21backup.tar Oracle_Home_lite/*
•   unzip /refresh/home/Downloads/SPB/p32755791_122140_Generic.zip
•   unset WEBLOGIC_CLASSPATH
•   unset CLASSPATH
•   export ORACLE_HOME=/refresh/home/Oracle/Middleware12214/Oracle_Home_lite
•   export JAVA_HOME=/refresh/home/Downloads/jdk1.8.0_281 Copyright 2021, Oracle and/or affiliates. All rights reserved

 Step2: (Upgrade JDK)

•   $ORACLE_HOME/oui/bin/getProperty.sh JAVA_HOME
•   $ORACLE_HOME/oui/bin/setProperty.sh -name OLD_JAVA_HOME -value /refresh/home/Downloads/jdk1.8.0_281
•   $ORACLE_HOME/oui/bin/setProperty.sh -name JAVA_HOME -value /refresh/home/Downloads/jdk1.8.0_291
•   $ORACLE_HOME/oui/bin/getProperty.sh JAVA_HOME
•   vi $DOMAIN_HOME/bin/setNMJavaHome.sh
•   vi $DOMAIN_HOME/nodemanager/nodemanager.properties
•   vi $DOMAIN_HOME/bin/setDomainEnv.sh

 Step3: (Upgrade OPatch tool)
 $ORACLE_HOME/OPatch/opatch version

 unzip/refresh/home/Downloads/SPB/WLS_SPB_12.2.1.4.210411/tools/opatch/generic/p281867 30_139425_Generic.zip -d /tmp/opatch

•   $JAVA_HOME/bin/java -jar /tmp/opatch/6880880/opatch_generic.jar -silent oracle_home=/refresh/home/Oracle/Middleware12214/Oracle_Home_lite
•   $ORACLE_HOME/OPatch/opatch version Copyright 2021, Oracle and/or affiliates. All rights reserved

 Step4: (Apply SPB patch)
 cd /refresh/home/Downloads/SPB/WLS_SPB_12.2.1.4.210411/binary_patches

 $ORACLE_HOME/OPatch/opatch napply -oh /refresh/home/Oracle/Middleware12214/Oracle_Home_lite -phBaseFile linux64_patchlist.txt

 $ORACLE_HOME/OPatch/opatch lspatches

Recommended steps to apply April 2021 Stack Patch Bundle(SPB) Patch using OPatch tool

Stack Patch Bundle (SPB)

Rollback and Post-Install information

•   For complete rollback of April 2021 SPB, use the backups (created before the application of SPB) to restore the ORACLE_HOME and CENTRAL INVENTORY.
•   Security Advice and Post-Install Information for Oracle WebLogic Server PSUs (Doc ID 2764668.1)
•   The above document is to complement the WebLogic Server Patch Set Update (PSU) for information on changed features, required post- installation configuration tasks, and additional security recommendations.

Sneak peek into Security Advice and Post-Install Information for Oracle WebLogic Server PSUs document

These default settings can change over time. WebLogic Server provides a system property, weblogic.oif.serialFilterLogging, that you can use to log the current blockli

Additional Information

WebLogic Server JEP 290 Default Filter (RECAP)

 To improve security, WebLogic Server uses the JDK JEP 290 mechanism to filter incoming serialized Java objects and limit the classes that can be deserialized.

•   The filter helps to protect against attacks from specially crafted, malicious serialized objects that can cause denial of service (DOS) or remote code execution (RCE) attacks.
•   To ensure that your system is protected with the most current default filter, be sure to apply the latest Java and WebLogic Server Critical Patch Updates (CPUs) as soon as they are released. These default settings can change over time. WebLogic Server provides a system property, weblogic.oif.serialFilterLogging, that you can use to log the current blocklist classes and packages.

Introducing Dynamic Blocklist!

 Dynamic blocklists provide the ability to update your blocklist filters by creating a configuration file that can be updated or replaced while the server is running.

 The April 2021 Patch Set Update (PSU) provides the following functionality for dynamic blocklists:

 By default, WebLogic Server will detect the presence of a dynamic blocklist configuration file located in the DOMAIN_HOME/config/security directory, and block deserialization of classes specified in the configuration file.

 WebLogic Server can also locate dynamic blocklist configuration files that you place in other directories, for example the Oracle Home directory, and block deserialization using those files as appropriate. (using a new system property, weblogic.oif.serialPropDirectories, and include the property in the WebLogic Server start- up script).

Introducing Dynamic Blocklist!

 By default, these directories are polled every 60 seconds. weblogic.oif.serialPropPollingFileInterval system property can be used to change the polling interval.

 -Dweblogic.oif.serialPropPollingFileInterval=10000 (10 seconds)
 WebLogic Server reads the blocklist files at the specified time interval

and immediately begins enforcing the blocks that are specified.

•   You can update or replace the files without needing to stop the server.
•   At the time of the April 2021 PSU delivery, there are no blocklist files that Oracle recommends configuring on user systems, and no further action is required. However, Oracle may recommend or encourage configuration of blocklist files on user systems in the future.

 Recommended steps to install the CPU/PSU patches for WebLogic Server using the Traditional Approach.

 How to identify the Optional components installed in your environment.  Recommended steps to install Stack Patch Bundle (SPB) for WebLogic

Server using OPatch tool.
 Security Advice and Post-Install Information for Oracle WebLogic Server

Top Articles and Community Links

•   Doc ID 2764636.1 Introducing the Stack Patch Bundle (SPB) for Oracle WebLogic Server
•   Doc ID 2762944.1 Oracle Critical Patch Update (CPU) April 2021 for Oracle Java SE
•   Doc ID 2764668.1 for Security Advice and Post-Install Information for Oracle WebLogic Server PSUs
•   Doc ID 1492980.1 on How to Install and Maintain the Java SE Installed or Used with FMW 11g/12c/14.1.1 Products

Top Articles and Community Links

 Oracle Document on Dynamic Block Filter
 https://blogs.oracle.com/fusionmiddlewaresupport/oracle-weblogic-

server-critical-patch-update-v2

 Applying WebLogic PSU/SPB Using Opatch 13.9.4.2.5 Failed with “error code 73” and “Can not find opatch executable script” (Doc ID 2747858.1)

 Advisor Webcast: How to Find Critical Patch Updates for Oracle Fusion Middleware Products held on January 16th 2020 (Doc ID 2611941.1)