There have been a number of security alerts recently around java and particularly older versions of java. We're currently looking into versions of java installed across the estate with a view to bring everything in line but as part of this it got me thinking what about the jvm inside the database - what version is this? You'd think with Oracle in control of all of this now that the latest version of the database should be using the latest version of the jvm internally surely?
After a bit of investigation (using the following simple method to find out the jvm version) it seems the version is miles behind
First off create this basic function (i did it as sys being lazy)
CREATE OR REPLACE FUNCTION get_java_property (prop IN VARCHAR2)
RETURN VARCHAR2 IS LANGUAGE JAVA
name 'java.lang.System.getProperty(java.lang.String) return java.lang.String';
/
Then select the value of this function back which displays the jvm version
SQL> SELECT get_java_property('java.version') FROM dual;
1.6.0
So in the case above this is Java 6
I tried this on a few databases
10.2 databases seemed to be JVM 1.4 (4)
11.1 i didnt bother to check
11.2 and less seemed to be JVM 1.5 (5)
11.2.0.4 and 12.1.0.1 seemed to be JVM 1.6 (6)
I then got bored and didnt do a full check of the other versions - a lot of them in our estate don't even have the java code installed and I couldn't be bothered to go and do that, it also creates thousands of objects i didn't particularly want......
It seemed odd than even in 12c Oracle internally was still using Java 6.
However in doing the investigation into versions i did discover that in 12c there is a new feature that allows you do use different vm versions and actually allowed me to switch to using Java 7 - here is how i did that (as documented in the oracle docs here http://docs.oracle.com/cd/E16655_01/java.121/e17658/chone.htm#CACGFAHD )
First up run this perl command passing in 7 (the java version) as the desired version to go to
perl $ORACLE_HOME/javavm/install/update_javavm_binaries.pl 7
this returns instantly and appears to do nothing (but it must have)
You then relink the oracle executable after this change
[oracle@server]:ED12G:[/oracle/12.0.0/rdbms/lib]# make -f ins_rdbms.mk ioracle
chmod 755 /oracle/12.0.0/bin
- Linking Oracle
rm -f /oracle/12.0.0/rdbms/lib/oracle
/oracle/12.0.0/bin/orald -o /oracle/12.0.0/rdbms/lib/oracle -m64 -z noexecstack -Wl,--disable-new-dtags -L/oracle/12.0.0/rdbms/lib/ -L/oracle/12.0.0/lib/ -L/oracle/12.0.0/lib/stubs/ -Wl,-E /oracle/12.0.0/rdbms/lib/opimai.o /oracle/12.0.0/rdbms/lib/ssoraed.o /oracle/12.0.0/rdbms/lib/ttcsoi.o -Wl,--whole-archive -lperfsrv12 -Wl,--no-whole-archive /oracle/12.0.0/lib/nautab.o /oracle/12.0.0/lib/naeet.o /oracle/12.0.0/lib/naect.o /oracle/12.0.0/lib/naedhs.o /oracle/12.0.0/rdbms/lib/config.o -lserver12 -lodm12 -lcell12 -lnnet12 -lskgxp12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lclient12 -lvsn12 -lcommon12 -lgeneric12 -lknlopt `if /usr/bin/ar tv /oracle/12.0.0/rdbms/lib/libknlopt.a | grep xsyeolap.o > /dev/null 2>&1 ; then echo "-loraolap12" ; fi` -lskjcx12 -lslax12 -lpls12 -lrt -lplp12 -lserver12 -lclient12 -lvsn12 -lcommon12 -lgeneric12 `if [ -f /oracle/12.0.0/lib/libavserver12.a ] ; then echo "-lavserver12" ; else echo "-lavstub12"; fi` `if [ -f /oracle/12.0.0/lib/libavclient12.a ] ; then echo "-lavclient12" ; fi` -lknlopt -lslax12 -lpls12 -lrt -lplp12 -ljavavm12 -lserver12 -lwwg `cat /oracle/12.0.0/lib/ldflags` -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnro12 `cat /oracle/12.0.0/lib/ldflags` -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnnzst12 -lzt12 -lztkg12 -lmm -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lztkg12 `cat /oracle/12.0.0/lib/ldflags` -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnro12 `cat /oracle/12.0.0/lib/ldflags` -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnnzst12 -lzt12 -lztkg12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 `if /usr/bin/ar tv /oracle/12.0.0/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo12"; fi` -L/oracle/12.0.0/ctx/lib/ -lctxc12 -lctx12 -lzx12 -lgx12 -lctx12 -lzx12 -lgx12 -lordimt12 -lclsra12 -ldbcfg12 -lhasgen12 -lskgxn2 -lnnzst12 -lzt12 -lxml12 -locr12 -locrb12 -locrutl12 -lhasgen12 -lskgxn2 -lnnzst12 -lzt12 -lxml12 -lgeneric12 -loraz -llzopro -lorabz2 -lipp_z -lipp_bz2 -lippdcemerged -lippsemerged -lippdcmerged -lippsmerged -lippcore -lippcpemerged -lippcpmerged -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lsnls12 -lunls12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lasmclnt12 -lcommon12 -lcore12 -laio -lons `cat /oracle/12.0.0/lib/sysliblist` -Wl,-rpath,/oracle/12.0.0/lib -lm `cat /oracle/12.0.0/lib/sysliblist` -ldl -lm -L/oracle/12.0.0/lib
test ! -f /oracle/12.0.0/bin/oracle ||\
mv -f /oracle/12.0.0/bin/oracle /oracle/12.0.0/bin/oracleO
mv /oracle/12.0.0/rdbms/lib/oracle /oracle/12.0.0/bin/oracle
chmod 6751 /oracle/12.0.0/bin/oracle
You then start the database up and run a simple sql file to replace the java install
[oracle@server]:ED12G:[/oracle/12.0.0/rdbms/lib]# sqlplus / as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Mon May 26 18:00:44 2014
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 3373858816 bytes
Fixed Size 2687192 bytes
Variable Size 855641896 bytes
Database Buffers 2499805184 bytes
Redo Buffers 15724544 bytes
Database mounted.
Database opened.
SQL>
SQL>
SQL> @?/javavm/install/update_javavm_db
SQL> SET FEEDBACK 1
SQL> SET NUMWIDTH 10
SQL> SET LINESIZE 80
SQL> SET TRIMSPOOL ON
SQL> SET TAB OFF
SQL> SET PAGESIZE 100
SQL>
SQL> -- If Java is installed, do CJS.
SQL>
SQL> -- If CJS can deal with the SROs inconsistent with the new JDK,
SQL> -- the drop_sros() call here can be removed.
SQL> call initjvmaux.drop_sros();
Call completed.
SQL>
SQL> create or replace java system;
2 /
Java created.
SQL>
SQL> update dependency$
2 set p_timestamp=(select stime from obj$ where obj#=p_obj#)
3 where (select stime from obj$ where obj#=p_obj#)!=p_timestamp and
4 (select type# from obj$ where obj#=p_obj#)=29 and
5 (select owner# from obj$ where obj#=p_obj#)=0;
63854 rows updated.
SQL>
Then commit (which doesn't seem to be in the script)
SQL> commit;
Commit complete.
Now executing the same function shows that indeed the java version is 1.7 (7)
SQL> SELECT get_java_property('java.version') FROM dual;
GET_JAVA_PROPERTY('JAVA.VERSION')
--------------------------------------------------------------------------------
1.7.0
1 row selected.
So it seems you can get (almost) up to date with java inside the database but the java version shipped under $ORACLE_HOME/jdk is still miles behind (v6) and this is the version that all the utilities (dbca, netca etc all seem to use). I'm not sure why it lags so far behind when oracle are telling customers to move up to newer versions and they aren't doing it themselves......
Comments
Post a Comment