How to Patch/Upgrade Java (JDK and JRE) in both Oracle Home and OEM Agent 13.5 home to latest certified version

A vulnerability scan from the customer pointed out many problems due to old patch backups and old JDK versions installed in a Oracle VM.

Many of the problems were with the files:

/u01/app/oracle/product/oem13c/agent/agent_13.5.0.0.0/oracle_common/jdk/jre/lib/rt.jar
/u01/app/oracle/product/19.0.0/dbhome_1/jdk/jre/lib/rt.jar

What I learned:

OEM Agent 13.5 default java version is 1.8.0_261, also after patching to the latest RU!
Oracle OPatch has its own JRE and this is not updated when applying latest JDK patch for Oracle Home
Upgrade JDK in Oracle Home is online

What I already knew:

Oracle DB Release Updates (RU) install the before-last JDK version.
There is in CPU4 – Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products (or the document for last CPU) a specific Patch to upgrade the JDK to the latest certified version (online patch).
The old patches are kept in a folder “.patch_storage”, for the needs of rollback. Vulnerability tools are picky and find it as potentially dangerous. The latest OPatch versions have a “util obfuscate” which will change the name and a little the contents of the files, so vulnerability tools do not find it. I blogged about it two years ago: Opatch now obfuscates its own backups – the new “opatch util Obfuscate” option explained

Below how I “cleanup” the vulnerabilities at my customer VM. This instructions are for java version 1.8.0_481, latest certified for Oracle in January 2026 :

Patch OEM Agent OPatch + use latest JDK

Download patches 28186730 + 38757469 from: CPU6 – Critical Patch Update (CPU) Program January 2026 Patch Availability Document (EM-only)
Instructions (simplified below) are at: KB635866 – EM 13.5: How to Use the Latest Certified JDK 8 Update with 13.5 Agents
Upgrade Agent OPatch, to use the cleanup, deleteinactivepatches und obfuscate functions
Upgrade JDK to last certified version

# Set variables
export SW_STAGING=/home/oracle/sw_staging
export AGENT_BASE=/u01/app/oracle/product/oem13c/agent

# Unzip patches
unzip $SW_STAGING/p28186730_1394222_Generic.zip -d $SW_STAGING/EM_OPatch_13.9.4.2.22/
unzip $SW_STAGING/p38757469_180_481_Linux-x86-64.zip -d $SW_STAGING/EM_Agent_JDK8_481/

# Stop agent
$AGENT_BASE/agent_inst/bin/emctl stop agent

# Patch Agent OPatch
java -jar /u01/staging/EM_OPatch_13.9.4.2.22/6880880/opatch_generic.jar -silent oracle_home=$AGENT_BASE/agent_13.5.0.0.0
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch version # --> soll 13.9.4.2.22 sein

# Upgrade Agent Java
mv $AGENT_BASE/agent_13.5.0.0.0/oracle_common/jdk /home/oracle/agent_jdk-bck_to_delete
tar zxf $SW_STAGING/EM_Agent_JDK8_481/jdk-8u481-linux-x64.tar.gz --transform 's|jdk1.8.0_481|jdk|' -C $AGENT_BASE/agent_13.5.0.0.0/oracle_common/

# Start Agent
$AGENT_BASE/agent_inst/bin/emctl start agent

# Cleanup Agent old patches
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util cleanup -silent
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util deleteinactivepatches
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util obfuscate

# Cleanup Agent Java backup
rm -rf /home/oracle/agent_jdk-bck_to_delete

# Checks
for f in $(find $AGENT_BASE -type f -name "java"); do echo "$f -> $($f -version 2>&1 | head -1)"; done;   # --> 1.8.0_481

Patch Oracle DB Home OPatch + use latest JDK

Download Patches 6880880 + 38586770 from CPU4 – Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products and KB118730 – JDK and PERL Patches for Oracle Database Home and Grid Home
Instructions (simplified below) in Patch README file.
Upgrade DB OPatch Version, so it gets latest JDK
Patch Oracle Home, so it gets latest JDK

# Set variables
export SW_STAGING=/home/oracle/sw_staging
export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1

# Unzip patch
unzip $SW_STAGING/p38586770_190000_Linux-x86-64.zip -d $SW_STAGING/DB_JDK8_481/

# Upgrade ORACLE_HOME OPatch and OPatch-Java
mv $ORACLE_HOME/OPatch /home/oracle/opatch-bck_to_delete
unzip -q $SW_STAGING/p6880880_190000_Linux-x86-64.zip -d $ORACLE_HOME/
$ORACLE_HOME/OPatch/opatch version | head -1  # --> 12.2.0.1.49

# Upgrade ORACLE_HOME Java
$ORACLE_HOME/OPatch/opatch apply -silent $SW_STAGING/DB_JDK8_481/38586770

# Cleanup Opatch backup
rm -rf /home/oracle/opatch-bck_to_delete

# Checks
for f in $(find $ORACLE_HOME -type f -name "java"); do echo "$f -> $($f -version 2>&1 | head -1)"; done;  # --> 1.8.0_481

Used patches

For information, these were the used patches:

-rw-r--r-- 1 oracle oinstall  59545781 Feb 20 15:27 p28186730_1394222_Generic.zip
-rw-r--r-- 1 oracle oinstall  59594892 Feb 20 15:35 p38586770_190000_Linux-x86-64.zip
-rw-r--r-- 1 oracle oinstall 161734780 Feb 20 15:36 p38757469_180_481_Linux-x86-64.zip
-rw-r--r-- 1 oracle oinstall  72896144 Feb 20 16:44 p6880880_190000_Linux-x86-64.zip

Blog: Keyword Oracle

Blog: Keyword Oracle

Patch OEM Agent OPatch + use latest JDK

Patch Oracle DB Home OPatch + use latest JDK

Used patches

Leave a comment Cancel reply