Download and install Oracle Critical Patch Updates (CPU) for Symantec DLP
search cancel

Download and install Oracle Critical Patch Updates (CPU) for Symantec DLP

book

Article ID: 184483

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Oracle Standard Edition 2

Issue/Introduction

The following information will help you with the installation of an Oracle Critical Patch Update (CPU) for Symantec Data Loss Prevention (DLP).

Users of Enterprise Oracle must obtain the CPU from Oracle and work with Oracle if any issues are encountered.
Users of Standard Oracle will need to download the CPU from the Broadcom support portal.
Once Oracle releases a new CPU, we will post it to the support portal after testing and validating the CPU.

Environment

Oracle 19c

Cause

Vulnerability Patching

Resolution

Confirm the ORACLE_HOME environment variable is pointing to your Database Home, for example: D:\oracle\product\19.3.0.0\db_1\

Windows: echo %ORACLE_HOME%
Linux: echo $ORACLE_HOME

  1. Extract the zip file downloaded from the Broadcom Support Portal. For example Oracle_19c_CPU2024JAN_Win64.zip
    The extracted zip will contain 4 folders JDKUpdate_*, OJVMUpdate_*, Opatch_64bit* and ReleaseUpdate_* where the the asterisk will be the version or platform information. This example uses 64bit Windows version.



  2. First of all it is necessary to update the OPatch utiltiy used to actually update the Oracle software.
    a) Open the Opatch_64bit_* folder
    b) Extract the zip contained inside. In this example it is named p6880880_190000_MSWIN-x86-64.zip
    c) Open the folder with the extracted data and copy the whole Opatch directory
    d) Navigate the oracle home directory, which should be accessible by using the ORACLE_HOME environment variable. It should lead to the oracle installation directory, which by default is C:\oracle\product\19.3.0.0\db_1
    e) Find the OPatch directory in the folder and rename it to back it up.
    f) Paste OPatch directory copied from the CPU package in step c into the db_1 directory.

  3. Stop all Symantec DLP services on the Enforce Server

  4. Stop the listener service by running the below command in Command Prompt as administrator:
    lsnrctl stop

  5. Shutdown Oracle database instances associated with DLP
    a) In Command Prompt running as administrator run:

    sqlplus sys as sydba

    b) Enter the password when prompted
    c) Run the “shutdown immediate” command in SQLPlus:


    d) The expected result is:



    e) Exit SQLPlus by executing (with the semicolon included):

    exit;

  6. With the OPatch updated and Oracle instance shut down you can proceed with the next package.
    a) Extract the zip contained in the ReleaseUpdate_* folder
    b) Open Command Prompt as administrator
    c) Using “cd” in the Command Prompt navigate to the extracted folder, it will be named like p35962832_190000_MSWIN-x86-64, then to the folder contained inside, it should be a couple numbers like 35962832
    The final path in the Command Prompt should be similar to the one below. It may differ based on the directory where the downloaded zip was placed, or files extracted.
    C:\Users\<USER>\Downloads\Oracle_19c_CPU2024JAN_Win64\DLP\ReleaseUpdate_19.22.0.0.0_2024JAN_64bit_Win\p35962832_190000_MSWIN-x86-64\35962832
    d) Execute the following command:
    %oracle_home%\opatch\opatch apply



    If the Opatch utility fails with “OPatch failed with error code = 73” as visible on the below screenshot:



    Open services.msc on the machine and manually stop any services associated with the DLP database. In this example those services were named “OracleServicePROTECT” and “OracleVssWriterPROTECT”



    Run the same command again after stopping those.

    e) The Opatch utility will run prerequisite checks and if everything checks out will prompt whether it should proceed. To do so type “y” and hit enter.
    f) Then it will ask whether the local system is ready for patching. To proceed enter “y” and hit enter again.



    g) Once done the tool will report which patches were installed and will say “Opatch succeeded”. The Patch ID will match the name of the 8 digits directory active in Command Prompt.



  7. After the ReleaseUpdate* has been successfully installed proceed with OJVMUpdate* following the same logic, so extract the zip and then change the directory in the Command Prompt to the 8 digits patch number and run %oracle_home%\opatch\opatch apply.
    The Command Prompt directory should be foe example:
    C:\Users\<USER>\Downloads\Oracle_19c_CPU2024JAN_Win64\DLP\OJVMUpdate_19.22.0.0.0_2024JAN_64bit_Win\p35926646_190000_MSWIN-x86-64\35926646
    Note that OJVM is optional as DLP does not use OJVM however Oracle recommends installing the latest OJVM patch.
  8. Lastly, proceed the same way with JDKUpdate*. Extract the package andhange the directory in Command Prompt to the extracted package 8 digits version directory, for example:
    C:\Users\<USER>\Downloads\Oracle_19c_CPU2024JAN_Win64\DLP\JDKUpdate_19.0.0.0.0_8u401_64bit_Win\p35949090_190000_MSWIN-x86-64\35949090
    Run %oracle_home%\opatch\opatch apply again.
  9. Start both Oracle services (OracleServicePROTECT and OracleVssWriterPROTECT in this example) if those were stopped for the previous step.
  10. Start the listener back by running “lsnrctl start” in Command Prompt as administrator.
  11. Run the following command to complete the update:
    %oracle_home%\opatch\datapatch –verbose

    When prompted enter database user with SYSDBA privileges, hit enter, provide the password and hit enter again.

    Once done the tool will return the statuses of each patch. You may notice a rollback of an older OJVM patch but an apply of the new one will follow shortly.



  12. Lastly, start all the Symantec DLP services on the Enforce server. Make sure to start them in the correct order.

Additional Information

The Oracle CPU includes both the opatch application and the patch itself.  These come in two different zip files.  You need to unzip these both under the oracle_Home directory.  When you go to unzip the opatch application you will update the files under the original %oracle_home%\opatch directory. 

Ref opatch application (example OPatch_64bit_12.2.0.1.29).  And the patch number zip file such as p6880880_190000_MSWIN-x86-64.zip. 

When you go to run the command to install the cpu be sure to change directories into the patch number directory and reference the opatch application,

%oracle_home%\opatch\opatch apply.

 

Also, the command will fail unless you Shutdown all sqlplus sessions, regardless of whether they are connected to the database or not.

  • Use the Windows Task Manager to show processes from all users, and look for any sqlplus.exe processes and stop them.

Some system services can also hold Oracle files open and cause this error. Stop the following services during Opatch execution:

  • The Distributed Transaction Coordinator service
  • The Windows Management Instrumentation service
  • The COM+ System Application service
  • On a virtualized system: the VMware Tools service and any other VMware-provided services

Note: In some cases, the Windows system can automatically restart these services after they are manually stopped. It may be necessary to temporarily disable the services while Opatch is executing, and re-enable them after the CPU installation has completed.

Also, When searching for which processes might be tying up the Oracle dlls you can use the tasklist command from the command prompt:

Tasklist /m

This displays all of the dlls being used by processes on the system.  However, if the CPU patch is erroring out and specifically mentions a dll, you can search for it with:

Example DLL lookup:

Tasklist /m oci.dll

This will return a list of all processes using the specified dll file.

If you receive a 73 or 74 error, you can try using the -force argument, or uninstall the conflicting package per the following article

Article Id: 159395 - Oracle Critical Patch Update on Windows fails with error 74