A vulnerability scan from the customer pointed out many problems due to old patch backups and old JDK versions installed in a Oracle VM.
Many of the problems were with the files:
/u01/app/oracle/product/oem13c/agent/agent_13.5.0.0.0/oracle_common/jdk/jre/lib/rt.jar
/u01/app/oracle/product/19.0.0/dbhome_1/jdk/jre/lib/rt.jar
What I learned:
- OEM Agent 13.5 default java version is 1.8.0_261, also after patching to the latest RU!
- Oracle OPatch has its own JRE and this is not updated when applying latest JDK patch for Oracle Home
- Upgrade JDK in Oracle Home is online
What I already knew:
- Oracle DB Release Updates (RU) install the before-last JDK version.
- There is in CPU4 – Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products (or the document for last CPU) a specific Patch to upgrade the JDK to the latest certified version (online patch).
- The old patches are kept in a folder “.patch_storage”, for the needs of rollback. Vulnerability tools are picky and find it as potentially dangerous. The latest OPatch versions have a “util obfuscate” which will change the name and a little the contents of the files, so vulnerability tools do not find it. I blogged about it two years ago: Opatch now obfuscates its own backups – the new “opatch util Obfuscate” option explained
Below how I “cleanup” the vulnerabilities at my customer VM. This instructions are for java version 1.8.0_481, latest certified for Oracle in January 2026 :
Patch OEM Agent OPatch + use latest JDK
- Download patches 28186730 + 38757469 from: CPU6 – Critical Patch Update (CPU) Program January 2026 Patch Availability Document (EM-only)
- Instructions (simplified below) are at: KB635866 – EM 13.5: How to Use the Latest Certified JDK 8 Update with 13.5 Agents
- Upgrade Agent OPatch, to use the cleanup, deleteinactivepatches und obfuscate functions
- Upgrade JDK to last certified version
# Set variables
export SW_STAGING=/home/oracle/sw_staging
export AGENT_BASE=/u01/app/oracle/product/oem13c/agent
# Unzip patches
unzip $SW_STAGING/p28186730_1394222_Generic.zip -d $SW_STAGING/EM_OPatch_13.9.4.2.22/
unzip $SW_STAGING/p38757469_180_481_Linux-x86-64.zip -d $SW_STAGING/EM_Agent_JDK8_481/
# Stop agent
$AGENT_BASE/agent_inst/bin/emctl stop agent
# Patch Agent OPatch
java -jar /u01/staging/EM_OPatch_13.9.4.2.22/6880880/opatch_generic.jar -silent oracle_home=$AGENT_BASE/agent_13.5.0.0.0
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch version # --> soll 13.9.4.2.22 sein
# Upgrade Agent Java
mv $AGENT_BASE/agent_13.5.0.0.0/oracle_common/jdk /home/oracle/agent_jdk-bck_to_delete
tar zxf $SW_STAGING/EM_Agent_JDK8_481/jdk-8u481-linux-x64.tar.gz --transform 's|jdk1.8.0_481|jdk|' -C $AGENT_BASE/agent_13.5.0.0.0/oracle_common/
# Start Agent
$AGENT_BASE/agent_inst/bin/emctl start agent
# Cleanup Agent old patches
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util cleanup -silent
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util deleteinactivepatches
$AGENT_BASE/agent_13.5.0.0.0/OPatch/opatch util obfuscate
# Cleanup Agent Java backup
rm -rf /home/oracle/agent_jdk-bck_to_delete
# Checks
for f in $(find $AGENT_BASE -type f -name "java"); do echo "$f -> $($f -version 2>&1 | head -1)"; done; # --> 1.8.0_481
Patch Oracle DB Home OPatch + use latest JDK
- Download Patches 6880880 + 38586770 from CPU4 – Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products and KB118730 – JDK and PERL Patches for Oracle Database Home and Grid Home
- Instructions (simplified below) in Patch README file.
- Upgrade DB OPatch Version, so it gets latest JDK
- Patch Oracle Home, so it gets latest JDK
# Set variables
export SW_STAGING=/home/oracle/sw_staging
export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1
# Unzip patch
unzip $SW_STAGING/p38586770_190000_Linux-x86-64.zip -d $SW_STAGING/DB_JDK8_481/
# Upgrade ORACLE_HOME OPatch and OPatch-Java
mv $ORACLE_HOME/OPatch /home/oracle/opatch-bck_to_delete
unzip -q $SW_STAGING/p6880880_190000_Linux-x86-64.zip -d $ORACLE_HOME/
$ORACLE_HOME/OPatch/opatch version | head -1 # --> 12.2.0.1.49
# Upgrade ORACLE_HOME Java
$ORACLE_HOME/OPatch/opatch apply -silent $SW_STAGING/DB_JDK8_481/38586770
# Cleanup Opatch backup
rm -rf /home/oracle/opatch-bck_to_delete
# Checks
for f in $(find $ORACLE_HOME -type f -name "java"); do echo "$f -> $($f -version 2>&1 | head -1)"; done; # --> 1.8.0_481
Used patches
For information, these were the used patches:
-rw-r--r-- 1 oracle oinstall 59545781 Feb 20 15:27 p28186730_1394222_Generic.zip
-rw-r--r-- 1 oracle oinstall 59594892 Feb 20 15:35 p38586770_190000_Linux-x86-64.zip
-rw-r--r-- 1 oracle oinstall 161734780 Feb 20 15:36 p38757469_180_481_Linux-x86-64.zip
-rw-r--r-- 1 oracle oinstall 72896144 Feb 20 16:44 p6880880_190000_Linux-x86-64.zip
