With OPatch version 188.8.131.52.36 for databases (and version 184.108.40.206.11 for Middleware), a new utility was included: obfuscate.
This utility was released to workaround the increased security needed around databases servers. We cannot escape having vulnerability scanners to run there. These vulnerability scanners sometimes do not distinguish between used and unused files.
When patching a database, backup copy of the modified files are kept in $ORACLE_HOME/.patch_storage. Their hash sometime trigger the vulnerability scanners and says – 🚨server not patched ⚠️. Which is misleading.
Starting with OPatch 220.127.116.11.36, released together with the January 2023 Release Update, the backup of patch files are automatically obfuscated.
The new “opatch util obfuscate” allows to do the same for older patches. Let’s see how it works.
Before the tests I’ve done a backup of
Now I call the new tool:
$ORACLE_HOME/OPatch/opatch util Obfuscate Oracle Interim Patch Installer version 18.104.22.168.39 Copyright (c) 2023, Oracle Corporation. All rights reserved. Oracle Home : /u00/app/grid/19.18.0 Central Inventory : /u00/app/OraInventory from : /u00/app/grid/19.18.0/oraInst.loc OPatch version : 22.214.171.124.39 OUI version : 126.96.36.199.0 Log file location : /u00/app/grid/19.18.0/cfgtoollogs/opatch/opatch2023-08-15_09-07-07AM_1.log Invoking utility "obfuscate" PS Obfuscate OPtion provided Obfuscate patch storage ....... [Aug 15, 2023 9:07:10 AM] [INFO] Invoking utility "obfuscate" [Aug 15, 2023 9:07:10 AM] [INFO] Obfuscate patch storage ....... [Aug 15, 2023 9:07:10 AM] [INFO] Begin obfuscatePatchStorage ... [Aug 15, 2023 9:18:50 AM] [INFO] Obfuscating patch: 32916816_Jul_19_2021_01_56_39 [Aug 15, 2023 9:18:57 AM] [SEVERE] Failed to zip obfuscated files: Unzip failed [Aug 15, 2023 9:18:58 AM] [INFO] Obfuscating patch: 32916816_Jul_19_2021_01_56_39 is done ... [Aug 15, 2023 9:26:57 AM] [INFO] Obfuscating patch: 34765931_Jan_27_2023_11_25_14 [Aug 15, 2023 9:26:57 AM] [WARNING] Patch /u00/app/grid/19.18.0/.patch_storage/34765931_Jan_27_2023_11_25_14 is already obfuscated ... [Aug 15, 2023 9:27:22 AM] [INFO] End obfuscatePatchStorage [Aug 15, 2023 9:27:22 AM] [INFO] Finishing UtilSession at Tue Aug 15 09:27:22 CEST 2023
This was a huge ORACLE_HOME, with backups of patches for the last three years. It tool 20 minutes to obfuscate about 10 GB of patch backups.
Checking the files in the .patch_storage folder, all now have names obfuscates, like
-rwxr-xr-x. 1 oracle dba 6332 Aug 15 09:12 /u00/app/grid/19.18.0/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_
It also changed the last modifed date of the file, but I could notice this example matches the file:
-rwxr-xr-x. 1 oracle dba 6332 Jul 14 2019 tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli
The md5sum is different, meaning the contents were changed:
$ md5sum tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli d0b1ebd73a2bbb0a51c5e2eb0f04f9f4 tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli $ md5sum $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_ ac507f596b7aff82ea931a6c2be12fc2 /u00/app/grid/19.18.0/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_
And diff shows that small extra characters were added:
diff tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_ 1c1 < #!/bin/sh --- > ▒!/bin/sh 237c237 < --- > ▒ \ No newline at end of file
All the rest is the same, example of the beginning of the file:
$ head $ORACLE_HOME/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/7a646d636c69_o_ ▒!/bin/sh # # # NAME # zdmcli - Cloud Control Utility # # DESCRIPTION # Cloud Control Utility can be used to migrate databases from on premises # to the cloud and vice versa. # $ head tmp/.patch_storage/31305087_Jun_25_2020_11_36_08/files/bin/zdmcli #!/bin/sh # # # NAME # zdmcli - Cloud Control Utility # # DESCRIPTION # Cloud Control Utility can be used to migrate databases from on premises # to the cloud and vice versa. #
More information about this utility is part of this note (attention, small things already changed in newest version of the tool):
It is nice to know OPatch keeps improving. As all new patch backups are automatically obfuscated, normally we do not need to actively use this new utility.