Uncategorized

Patching Perl in Oracle database home binaries – CVE-2018-20843 and CVE-2019-15903

arcsdegeoLeave a comment

In Oracle Critical Patch Update (CPU) released in October 2020, Oracle has changed the advisory page ” non-exploitable vulnerabilities in each product family will be identified separately under each risk matrix, and the total vulnerability counts will no longer include non-exploitable vulnerabilities in third-party components.” according to Oracle: https://blogs.oracle.com/security/october-2020-critical-patch-update-released

So, basically Oracle will provides fixes for third party products such as Perl for example even though the vulnerabilities will not directly exploit the Oracle product…in our case here “Oracle database system”.

to update to the latest Perl build, its applicable to Oracle 18c,12cR2, and 12cR1….19c database binaries already shipped with latest Perl build that mitigates (CVE’s CVE-2018-20843 , CVE-2019-15903)

To patch Perl….download it from Oracle Support first.

Then, check the current version:

$ORACLE_HOME/perl/bin/perl -v

This is perl 5, version 22, subversion 0 (v5.22.0) built for x86_64-linux-thread-multi

Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the

GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on

this system using “man perl” or “perldoc perl”.  If you have access to the

Internet, point your browser at http://www.perl.org/, the Perl Home Page.

Go to the directory where you have download and unzipped the patch

cd /patches/Perl_patches/18c_Patch/31225444

using OPatch utility apply the patch (you need to check that you have the latest version of Opatch utility):

$ORACLE_HOME/OPatch/opatch apply

check the Perl version again:

$ORACLE_HOME/perl/bin/perl -v

This is perl 5, version 28, subversion 2 (v5.28.2) built for x86_64-linux-thread-multi

Copyright 1987-2019, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the

GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on

this system using “man perl” or “perldoc perl”.  If you have access to the

Internet, point your browser at http://www.perl.org/, the Perl Home Page.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s