How to Identify Which Security Patches to Apply to Your Oracle EBS System

by Vikram Kotwani – Principal Architect

When it comes to managing an Oracle EBS system, similar to any other IT infrastructure, it is essential to regularly install the latest patches to improve performance and security. 

EBS encompasses multiple software stacks, each of which requires regular patching:

• EBS APPL_TOP (AD tech stack, module patches, etc.)  
• EBS WebLogic server  
• EBS Java / JDK  
• Database  

Here are some general practices to follow when it comes to EBS patches:  

• Always apply and thoroughly test all patches in lower development/testing environments before deploying them to production. 
• Conduct end-to-end functional testing, ensuring that all critical daily and month-end tasks are executed to identify and rectify any errors or performance issues. 
• Address and rectify any invalid objects introduced by patches. 

These patches can either be applied during a single downtime (preferable) or spread across multiple downtimes. 

The general sequence for patch application is as follows: 

1. Apply the latest EBS release pack 
2. Apply any recommended EBS patches 
3. Apply the latest AD patch 
4. Apply the latest WebLogic patches  
5. Apply the latest database PSU   

It is advisable to follow the same sequence of patch applications as in the lower environments to mitigate potential unknown issues. 

Oracle provides various utilities to obtain a list of recommended patches: 

Download and execute the latest EBS Critical patch update checker (ECPUC), available in patch 35583866 

Download Patch 35583866 which includes the ECPUC.sql script. This script helps you identify the latest required EBS CPU patches and security fixes for your current E-Business Suite environment. Simply run ECPUC.sql to generate a report listing all essential patches available as of the most recent Oracle EBS Critical Patch Update (CPU). 

EBS Technology Code Level Checker (ETCC) 

This tool scans your database and middle tier for missing bug fixes and alerts you to any necessary updates. Run the provided scripts, checkDBpatch.sh and checkMTpatch.sh, to identify recommended patches by Oracle.   

• checkDBpatch.sh (checkDBpatch.cmd on Windows): This script, also known as the Database EBS Technology Codelevel Checker (DB-ETCC), scans your database for missing patches needed to address known bugs.  
• checkMTpatch.sh (checkMTpatch.cmd on Windows): This script, also known as the Middle Tier EBS Technology Codelevel Checker (MT-ETCC), scans your middle tier file system for missing patches required for optimal operation. 

By running both scripts regularly, you can proactively identify and apply updates to ensure your E-Business Suite remains secure and functions as intended. 

Running DB Technology Codelevel Checker (DB-ETCC) 

Download Patch 17537119 to access the DB-ETCC script (checkDBpatch.sh). This script runs on DB Tier and it checks the EBS 12.2 database for missing one-offs that need to be rollbacked.   

If conflicts arise during the application of DB patches, consult the following documents for recommended overlay patches and conflict resolution procedures. Keep in mind, that sometimes an SR is needed with Oracle for further support. 

• Note 1147107.1 – Database Patch Set Update Overlay Patches Required for Use with PSUs and Oracle E-Business Suite  
• Note 1321267.1 – Database Patch Conflict Resolution

Running MT Technology Codelevel Checker (MT-ETCC) 

Download Patch 17537119 checkMTpatch.sh. Running the script on the Apps Tier produces a report of missing patches.   

Further analysis is required to check if there is a consolidated patch available, which would include the missing bug fix. This can be accomplished by referring to the following notes. 

• Note 1594274.1 – Oracle E-Business Suite Release 12.2: Consolidated List of Oracle Database Patches and Bug Fixes  
• Note 2877607.1 – Oracle E-Business Suite Release 12.2: Consolidated List of Oracle Fusion Middleware Patches and Bug Fixes 

If you are on the older JDK/JRE version, you can consider upgrading to the latest certified JDK/JRE 

Using the Latest JDK 7.0 Update with Oracle E-Business Suite Release 12.2 (Doc ID 1530033.1) 

Deploying JRE (Native Plug-in) for Windows Clients in Oracle E-Business Suite Release 12 (Doc ID 393931.1) 

Run various module analyzers, which provide module-specific recommended patches. 

EBS Analyzer Bundle Menu Tool can be downloaded from Doc ID 1939637.1. It provides information to download, install, and maintain all the analyzers.  

For tech stack AD and FND patches, run the CP analyzer, and Login analyzer to get various one-off patch recommendations.  

Using the EBS Patch wizard to get patch recommendations. 

You can set up the EBS Patch wizard, to provide recommended patches for various installed patches.  

See Doc ID 976188.1 – Patch Wizard Utility,  Doc ID 976688.2 FAQ, or  Doc ID 1077813.1 Videos for more information. 

Additional reference documents include: 

• Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.2 (Doc ID 2484000.1) 
• Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2 (Doc ID 1617461.1) 
• 12.2 E-Business Suite Applications DBA Steps To Identify The Missing Patches Listed In ETCC For The Database and Middle Tier By Bug Number (Doc ID 2057925.1) 
• E-Business Suite Support Analyzer Bundle Menu Tool (Doc ID 1939637.1) 
• Get Proactive with Oracle E-Business Suite – Product Support Analyzer Index (Doc ID 1545562.2) 

Lastly, consult the patch readme files for detailed information and examples regarding the mentioned patches. 

Have Questions about Oracle EBS Security Patches?

For expert guidance and best practices on Oracle EBS Security Patches, please feel free to contact our team or reach out to the author directly for further insights.

Vikram Kotwani – Principal Architect  

LinkedIn: https://www.linkedin.com/in/vikramkotwani/