{"id":1107,"date":"2026-02-20T17:45:24","date_gmt":"2026-02-20T16:45:24","guid":{"rendered":"https:\/\/anjo.pt\/keyword-oracle\/?p=1107"},"modified":"2026-02-20T17:53:20","modified_gmt":"2026-02-20T16:53:20","slug":"how-to-patch-upgrade-java-jdk-and-jre-in-both-oracle-home-and-oem-agent-13-5-home-to-latest-certified-version","status":"publish","type":"post","link":"https:\/\/anjo.pt\/keyword-oracle\/2026\/02\/20\/how-to-patch-upgrade-java-jdk-and-jre-in-both-oracle-home-and-oem-agent-13-5-home-to-latest-certified-version\/","title":{"rendered":"How to Patch\/Upgrade Java (JDK and JRE) in both Oracle Home and OEM Agent 13.5 home to latest certified version"},"content":{"rendered":"\n<p>A vulnerability scan from the customer pointed out many problems due to old patch backups and old JDK versions installed in a Oracle VM.<\/p>\n\n\n\n<p>Many of the problems were with the files:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/u01\/app\/oracle\/product\/oem13c\/agent\/agent_13.5.0.0.0\/oracle_common\/jdk\/jre\/lib\/<strong>rt.jar<\/strong>\n\/u01\/app\/oracle\/product\/19.0.0\/dbhome_1\/jdk\/jre\/lib\/<strong>rt.jar<\/strong><\/code><\/pre>\n\n\n\n<p><strong>What I learned:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OEM Agent 13.5 default java version is 1.8.0_261, also after patching to the latest RU!<\/li>\n\n\n\n<li>Oracle OPatch has its own JRE and this is not updated when applying latest JDK patch for Oracle Home<\/li>\n\n\n\n<li>Upgrade JDK in Oracle Home is online<\/li>\n<\/ul>\n\n\n\n<p><strong>What I already knew:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oracle DB Release Updates (RU) install the before-last JDK version.<\/li>\n\n\n\n<li>There is  in <a href=\"https:\/\/support.oracle.com\/ic\/builder\/rt\/customer_portal\/live\/webApps\/customer-portal\/?kmExternalId=CPU4\">CPU4 &#8211; Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products<\/a> (or the document for last CPU) a specific Patch to upgrade the JDK to the latest certified version (online patch).<\/li>\n\n\n\n<li>The old patches are kept in a folder &#8220;.patch_storage&#8221;, for the needs of rollback. Vulnerability tools are picky and find it as potentially dangerous. The latest OPatch versions have a &#8220;util obfuscate&#8221; which will change the name and a little the contents of the files, so vulnerability tools do not find it. I blogged about it two years ago: <a href=\"https:\/\/anjo.pt\/keyword-oracle\/2023\/08\/26\/opatch-now-obfuscates-its-own-backups-the-new-opatch-util-obfuscate-option-explained\/\">Opatch now obfuscates its own backups \u2013 the new \u201copatch util Obfuscate\u201d option explained<\/a><\/li>\n<\/ul>\n\n\n\n<p>Below how I &#8220;cleanup&#8221; the vulnerabilities at my customer VM. This instructions are for java version 1.8.0_481, latest certified for Oracle in January 2026 :<\/p>\n\n\n\n<!--more-->\n\n\n\n<h3 class=\"wp-block-heading\">Patch OEM Agent&nbsp;OPatch + use latest JDK<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download patches 28186730 + 38757469 from: <a href=\"https:\/\/support.oracle.com\/ic\/builder\/rt\/customer_portal\/live\/webApps\/customer-portal\/?kmExternalId=CPU6\">CPU6 &#8211; Critical Patch Update (CPU) Program January 2026 Patch Availability Document (EM-only)<\/a><\/li>\n\n\n\n<li>Instructions (simplified below) are at: <a href=\"https:\/\/support.oracle.com\/ic\/builder\/rt\/customer_portal\/live\/webApps\/customer-portal\/?kmExternalId=KB635866\">KB635866 &#8211; EM 13.5: How to Use the Latest Certified JDK 8 Update with 13.5 Agents<\/a><\/li>\n\n\n\n<li>Upgrade Agent OPatch, to use the cleanup, deleteinactivepatches und obfuscate functions<\/li>\n\n\n\n<li>Upgrade JDK to last certified version&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n# Set variables\nexport SW_STAGING=\/home\/oracle\/sw_staging\nexport AGENT_BASE=\/u01\/app\/oracle\/product\/oem13c\/agent\n\n# Unzip patches\nunzip $SW_STAGING\/p28186730_1394222_Generic.zip -d $SW_STAGING\/EM_OPatch_13.9.4.2.22\/\nunzip $SW_STAGING\/p38757469_180_481_Linux-x86-64.zip -d $SW_STAGING\/EM_Agent_JDK8_481\/\n\n# Stop agent\n$AGENT_BASE\/agent_inst\/bin\/emctl stop agent\n\n# Patch Agent OPatch\njava -jar \/u01\/staging\/EM_OPatch_13.9.4.2.22\/6880880\/opatch_generic.jar -silent oracle_home=$AGENT_BASE\/agent_13.5.0.0.0\n$AGENT_BASE\/agent_13.5.0.0.0\/OPatch\/opatch version # --&gt; soll 13.9.4.2.22 sein\n\n# Upgrade Agent Java\nmv $AGENT_BASE\/agent_13.5.0.0.0\/oracle_common\/jdk \/home\/oracle\/agent_jdk-bck_to_delete\ntar zxf $SW_STAGING\/EM_Agent_JDK8_481\/jdk-8u481-linux-x64.tar.gz --transform &#039;s|jdk1.8.0_481|jdk|&#039; -C $AGENT_BASE\/agent_13.5.0.0.0\/oracle_common\/\n\n# Start Agent\n$AGENT_BASE\/agent_inst\/bin\/emctl start agent\n\n# Cleanup Agent old patches\n$AGENT_BASE\/agent_13.5.0.0.0\/OPatch\/opatch util cleanup -silent\n$AGENT_BASE\/agent_13.5.0.0.0\/OPatch\/opatch util deleteinactivepatches\n$AGENT_BASE\/agent_13.5.0.0.0\/OPatch\/opatch util obfuscate\n\n# Cleanup Agent Java backup\nrm -rf \/home\/oracle\/agent_jdk-bck_to_delete\n\n# Checks\nfor f in $(find $AGENT_BASE -type f -name &quot;java&quot;); do echo &quot;$f -&gt; $($f -version 2&gt;&amp;1 | head -1)&quot;; done;   # --&gt; 1.8.0_481\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">Patch <strong>Oracle DB Home<\/strong> OPatch + use latest JDK<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download Patches 6880880 + 38586770 from <a href=\"https:\/\/support.oracle.com\/ic\/builder\/rt\/customer_portal\/live\/webApps\/customer-portal\/?kmExternalId=CPU4\">CPU4 &#8211; Oracle Critical Patch Update (CPU) Jan 2026 for Oracle Database Products<\/a> and <a href=\"https:\/\/support.oracle.com\/ic\/builder\/rt\/customer_portal\/live\/webApps\/customer-portal\/?kmExternalId=KB118730\">KB118730 &#8211; JDK and PERL Patches for Oracle Database Home and Grid Home<\/a><\/li>\n\n\n\n<li>Instructions (simplified below) in Patch README file.<\/li>\n\n\n\n<li>Upgrade DB OPatch Version, so it gets latest JDK<\/li>\n\n\n\n<li>Patch Oracle Home, so it gets latest JDK<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n# Set variables\nexport SW_STAGING=\/home\/oracle\/sw_staging\nexport ORACLE_HOME=\/u01\/app\/oracle\/product\/19.0.0\/dbhome_1\n\n# Unzip patch\nunzip $SW_STAGING\/p38586770_190000_Linux-x86-64.zip -d $SW_STAGING\/DB_JDK8_481\/\n\n# Upgrade ORACLE_HOME OPatch and OPatch-Java\nmv $ORACLE_HOME\/OPatch \/home\/oracle\/opatch-bck_to_delete\nunzip -q $SW_STAGING\/p6880880_190000_Linux-x86-64.zip -d $ORACLE_HOME\/\n$ORACLE_HOME\/OPatch\/opatch version | head -1  # --&gt; 12.2.0.1.49\n\n# Upgrade ORACLE_HOME Java\n$ORACLE_HOME\/OPatch\/opatch apply -silent $SW_STAGING\/DB_JDK8_481\/38586770\n\n# Cleanup Opatch backup\nrm -rf \/home\/oracle\/opatch-bck_to_delete\n\n# Checks\nfor f in $(find $ORACLE_HOME -type f -name &quot;java&quot;); do echo &quot;$f -&gt; $($f -version 2&gt;&amp;1 | head -1)&quot;; done;  # --&gt; 1.8.0_481\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">Used patches<\/h3>\n\n\n\n<p>For information, these were the used patches:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n-rw-r--r-- 1 oracle oinstall  59545781 Feb 20 15:27 p28186730_1394222_Generic.zip\n-rw-r--r-- 1 oracle oinstall  59594892 Feb 20 15:35 p38586770_190000_Linux-x86-64.zip\n-rw-r--r-- 1 oracle oinstall 161734780 Feb 20 15:36 p38757469_180_481_Linux-x86-64.zip\n-rw-r--r-- 1 oracle oinstall  72896144 Feb 20 16:44 p6880880_190000_Linux-x86-64.zip\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>A vulnerability scan from the customer pointed out many problems due to old patch backups and old JDK versions installed in a Oracle VM. Many of the problems were with the files: What I learned: What I already knew: Below how I &#8220;cleanup&#8221; the vulnerabilities at my customer VM. This instructions are for java version [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,6,39,18,9],"tags":[],"class_list":{"0":"post-1107","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-enterprise-manager","7":"category-oracle","8":"category-oracle-19c","9":"category-patchset-update","10":"category-security","11":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=1107"}],"version-history":[{"count":3,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1107\/revisions"}],"predecessor-version":[{"id":1111,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/1107\/revisions\/1111"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=1107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=1107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=1107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}