Opatch now obfuscates its own backups – the new “opatch util Obfuscate” option explained

With OPatch version for databases (and version for Middleware), a new utility was included: obfuscate.

This utility was released to workaround the increased security needed around databases servers. We cannot escape having vulnerability scanners to run there. These vulnerability scanners sometimes do not distinguish between used and unused files.

When patching a database, backup copy of the modified files are kept in $ORACLE_HOME/.patch_storage. Their hash sometime trigger the vulnerability scanners and says – 🚨server not patched ⚠️. Which is misleading.

Starting with OPatch, released together with the January 2023 Release Update, the backup of patch files are automatically obfuscated.

The new “opatch util obfuscate” allows to do the same for older patches. Let’s see how it works.

Before the tests I’ve done a backup of $ORACLE_HOME/.patch_storage in /tmp

Now I call the new tool:

$ORACLE_HOME/OPatch/opatch util Obfuscate
Oracle Interim Patch Installer version
Copyright (c) 2023, Oracle Corporation.  All rights reserved.

Oracle Home       : /u00/app/grid/19.18.0
Central Inventory : /u00/app/OraInventory
   from           : /u00/app/grid/19.18.0/oraInst.loc
OPatch version    :
OUI version       :
Log file location : /u00/app/grid/19.18.0/cfgtoollogs/opatch/opatch2023-08-15_09-07-07AM_1.log

Invoking utility "obfuscate"
PS Obfuscate OPtion provided
Obfuscate patch storage .......

[Aug 15, 2023 9:07:10 AM] [INFO]    Invoking utility "obfuscate"
[Aug 15, 2023 9:07:10 AM] [INFO]    Obfuscate patch storage .......
[Aug 15, 2023 9:07:10 AM] [INFO]    Begin obfuscatePatchStorage
[Aug 15, 2023 9:18:50 AM] [INFO]    Obfuscating patch: 32916816_Jul_19_2021_01_56_39
[Aug 15, 2023 9:18:57 AM] [SEVERE]  Failed to zip obfuscated files: Unzip failed
[Aug 15, 2023 9:18:58 AM] [INFO]    Obfuscating patch: 32916816_Jul_19_2021_01_56_39 is done
[Aug 15, 2023 9:26:57 AM] [INFO]    Obfuscating patch: 34765931_Jan_27_2023_11_25_14
[Aug 15, 2023 9:26:57 AM] [WARNING] Patch /u00/app/grid/19.18.0/.patch_storage/34765931_Jan_27_2023_11_25_14 is already obfuscated
[Aug 15, 2023 9:27:22 AM] [INFO]    End obfuscatePatchStorage
[Aug 15, 2023 9:27:22 AM] [INFO]    Finishing UtilSession at Tue Aug 15 09:27:22 CEST 2023

This was a huge ORACLE_HOME, with backups of patches for the last three years. It tool 20 minutes to obfuscate about 10 GB of patch backups.

Checking the files in the .patch_storage folder, all now have names obfuscates, like

-rwxr-xr-x. 1 oracle dba 6332 Aug 15 09:12 /u00/app/grid/19.18.0/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_

It also changed the last modifed date of the file, but I could notice this example matches the file:

-rwxr-xr-x. 1 oracle dba 6332 Jul 14  2019 tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli

The md5sum is different, meaning the contents were changed:

$ md5sum tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli
d0b1ebd73a2bbb0a51c5e2eb0f04f9f4  tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli

$ md5sum $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_
ac507f596b7aff82ea931a6c2be12fc2  /u00/app/grid/19.18.0/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_

And diff shows that small extra characters were added:

diff tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_
< #!/bin/sh
> ▒!/bin/sh
> ▒
\ No newline at end of file

All the rest is the same, example of the beginning of the file:

$ head $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_
#    NAME
#     zdmcli - Cloud Control Utility
#      Cloud Control Utility can be used to migrate databases from on premises
#      to the cloud and vice versa.

$ head tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli
#    NAME
#     zdmcli - Cloud Control Utility
#      Cloud Control Utility can be used to migrate databases from on premises
#      to the cloud and vice versa.

More information about this utility is part of this note (attention, small things already changed in newest version of the tool):

OPatch Introduces a New Feature to Obfuscate the ORACLE_HOME/.patch_storage Directory (Doc ID 2909604.1)

It is nice to know OPatch keeps improving. As all new patch backups are automatically obfuscated, normally we do not need to actively use this new utility.

Leave a comment

Your email address will not be published. Required fields are marked *