{"id":582,"date":"2023-08-26T18:24:38","date_gmt":"2023-08-26T16:24:38","guid":{"rendered":"https:\/\/anjo.pt\/keyword-oracle\/?p=582"},"modified":"2023-08-26T18:24:39","modified_gmt":"2023-08-26T16:24:39","slug":"opatch-now-obfuscates-its-own-backups-the-new-opatch-util-obfuscate-option-explained","status":"publish","type":"post","link":"https:\/\/anjo.pt\/keyword-oracle\/2023\/08\/26\/opatch-now-obfuscates-its-own-backups-the-new-opatch-util-obfuscate-option-explained\/","title":{"rendered":"Opatch now obfuscates its own backups – the new “opatch util Obfuscate” option explained"},"content":{"rendered":"\n

With OPatch version 12.2.0.1.36 for databases (and version 13.9.4.2.11 for Middleware), a new utility was included: obfuscate.<\/p>\n\n\n\n

This utility was released to workaround the increased security needed around databases servers. We cannot escape having vulnerability scanners to run there. These vulnerability scanners sometimes do not distinguish between used and unused files. <\/p>\n\n\n\n

When patching a database, backup copy of the modified files are kept in $ORACLE_HOME\/.patch_storage. Their hash sometime trigger the vulnerability scanners and says – 🚨server not patched ⚠️. Which is misleading.<\/p>\n\n\n\n

Starting with OPatch 12.2.0.1.36, released together with the January 2023 Release Update, the backup of patch files are automatically obfuscated.<\/p>\n\n\n\n

The new “opatch util obfuscate” allows to do the same for older patches. Let’s see how it works.<\/p>\n\n\n\n\n\n\n\n

Before the tests I’ve done a backup of $ORACLE_HOME\/.patch_storage<\/code> in \/tmp<\/code><\/p>\n\n\n\n

Now I call the new tool:<\/p>\n\n\n

\n$ORACLE_HOME\/OPatch\/opatch util Obfuscate\nOracle Interim Patch Installer version 12.2.0.1.39\nCopyright (c) 2023, Oracle Corporation.  All rights reserved.\n\n\nOracle Home       : \/u00\/app\/grid\/19.18.0\nCentral Inventory : \/u00\/app\/OraInventory\n   from           : \/u00\/app\/grid\/19.18.0\/oraInst.loc\nOPatch version    : 12.2.0.1.39\nOUI version       : 12.2.0.7.0\nLog file location : \/u00\/app\/grid\/19.18.0\/cfgtoollogs\/opatch\/opatch2023-08-15_09-07-07AM_1.log\n\nInvoking utility "obfuscate"\nPS Obfuscate OPtion provided\nObfuscate patch storage .......\n\n[Aug 15, 2023 9:07:10 AM] [INFO]    Invoking utility "obfuscate"\n[Aug 15, 2023 9:07:10 AM] [INFO]    Obfuscate patch storage .......\n[Aug 15, 2023 9:07:10 AM] [INFO]    Begin obfuscatePatchStorage\n...\n[Aug 15, 2023 9:18:50 AM] [INFO]    Obfuscating patch: 32916816_Jul_19_2021_01_56_39\n[Aug 15, 2023 9:18:57 AM] [SEVERE]  Failed to zip obfuscated files: Unzip failed\n[Aug 15, 2023 9:18:58 AM] [INFO]    Obfuscating patch: 32916816_Jul_19_2021_01_56_39 is done\n...\n[Aug 15, 2023 9:26:57 AM] [INFO]    Obfuscating patch: 34765931_Jan_27_2023_11_25_14\n[Aug 15, 2023 9:26:57 AM] [WARNING] Patch \/u00\/app\/grid\/19.18.0\/.patch_storage\/34765931_Jan_27_2023_11_25_14 is already obfuscated\n...\n[Aug 15, 2023 9:27:22 AM] [INFO]    End obfuscatePatchStorage\n[Aug 15, 2023 9:27:22 AM] [INFO]    Finishing UtilSession at Tue Aug 15 09:27:22 CEST 2023\n<\/pre><\/div>\n\n\n
This was a huge ORACLE_HOME, with backups of patches for the last three years. It tool 20 minutes to obfuscate about 10 GB of patch backups.<\/p>\n\n\n\n
Checking the files in the .patch_storage folder, all now have names obfuscates, like <\/p>\n\n\n
\n-rwxr-xr-x. 1 oracle dba 6332 Aug 15 09:12 \/u00\/app\/grid\/19.18.0\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/7a646d636c69_o_\n<\/pre><\/div>\n\n\n
It also changed the last modifed date of the file, but I could notice this example matches the file:<\/p>\n\n\n
\n-rwxr-xr-x. 1 oracle dba 6332 Jul 14  2019 tmp\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/zdmcli\n<\/pre><\/div>\n\n\n
The md5sum is different, meaning the contents were changed:<\/p>\n\n\n
\n$ md5sum tmp\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/zdmcli\nd0b1ebd73a2bbb0a51c5e2eb0f04f9f4  tmp\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/zdmcli\n\n$ md5sum $ORACLE_HOME\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/7a646d636c69_o_\nac507f596b7aff82ea931a6c2be12fc2  \/u00\/app\/grid\/19.18.0\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/7a646d636c69_o_\n<\/pre><\/div>\n\n\n
And diff shows that small extra characters were added:<\/p>\n\n\n
\ndiff tmp\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/zdmcli $ORACLE_HOME\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/7a646d636c69_o_\n1c1\n&lt; #!\/bin\/sh\n---\n> \u2592!\/bin\/sh\n237c237\n&lt;\n---\n> \u2592\n\\ No newline at end of file\n<\/pre><\/div>\n\n\n
All the rest is the same, example of the beginning of the file:<\/p>\n\n\n
\n$ head $ORACLE_HOME\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/7a646d636c69_o_\n\u2592!\/bin\/sh\n#\n#\n#    NAME\n#     zdmcli - Cloud Control Utility\n#\n#    DESCRIPTION\n#      Cloud Control Utility can be used to migrate databases from on premises\n#      to the cloud and vice versa.\n#\n\n$ head tmp\/.patch_storage\/31305087_Jun_25_2020_11_36_08\/files\/bin\/zdmcli\n#!\/bin\/sh\n#\n#\n#    NAME\n#     zdmcli - Cloud Control Utility\n#\n#    DESCRIPTION\n#      Cloud Control Utility can be used to migrate databases from on premises\n#      to the cloud and vice versa.\n#\n<\/pre><\/div>\n\n\n
More information about this utility is part of this note (attention, small things already changed in newest version of the tool):<\/p>\n\n\n\n
OPatch 13.9.4.2.11 Introduces a New Feature to Obfuscate the ORACLE_HOME\/.patch_storage Directory (Doc ID 2909604.1)<\/a><\/p>\n\n\n\n
It is nice to know OPatch keeps improving. As all new patch backups are automatically obfuscated, normally we do not need to actively use this new utility. <\/p>\n","protected":false},"excerpt":{"rendered":"
With OPatch version 12.2.0.1.36 for databases (and version 13.9.4.2.11 for Middleware), a new utility was included: obfuscate. This utility was released to workaround the increased security needed around databases servers. We cannot escape having vulnerability scanners to run there. These vulnerability scanners sometimes do not distinguish between used and unused files. When patching a database, […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,6],"tags":[],"class_list":{"0":"post-582","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-opatch","7":"category-oracle","8":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=582"}],"version-history":[{"count":1,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/582\/revisions"}],"predecessor-version":[{"id":583,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/582\/revisions\/583"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}