Oct'25 CPU - SOA Stack Patch Bundle 12.2.1.4.251011 - Patch 38529263

 Patch 38529263: SOA Stack Patch Bundle 12.2.1.4.251011

Included in stack bundle patch

Serial Number Patch Tracking Number Patch Name

1 35965629 ADR FOR WEBLOGIC SERVER 12.2.1.4.0 - SIZE OPTIMIZED FOR JAN 2024

2 38412437 WLS PATCH SET UPDATE 12.2.1.4.250910

3 36426672 WEBLOGIC SAMPLES SPU 12.2.1.4.240416

4 38409281 Coherence 12.2.1.4 Cumulative Patch 27 (12.2.1.4.27)

5 33093748 FMW PLATFORM 12.2.1.4.0 SPU FOR APRCPU2021

6 28186730 OPATCH 13.9.4.2.21 FOR EM 13.5 AND FMW/WLS 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

7 37925688 JDBC19.27 BUNDLE PATCH 12.2.1.4.250514

8 38199225 RDA release 25.4-20251021 for FMW 12.2.1.4.0

9 34065178 MERGE REQUEST ON TOP OF 12.2.1.4.0 FOR BUGS 34010500 33903365

10 36789759 FMW PLATFORM BUNDLE PATCH 12.2.1.4.240812

11 36946553 FMWCONTROL BUNDLE PATCH 12.2.1.4.240814

12 37056593 OCT 2024 CLONING SPU FOR FMW 12.2.1.4.0

13 38405729 FMW Thirdparty Bundle Patch 12.2.1.4.250909

14 38348152 ADF BUNDLE PATCH 12.2.1.4.250822

15 38059281 OSB BUNDLE PATCH 12.2.1.4.250611

16 38253323 SOA Bundle Patch 12.2.1.4.250729

17 36316422 OPSS BUNDLE PATCH 12.2.1.4.240220

18 38073767 OWSM BUNDLE PATCH 12.2.1.4.250613

19 38400138 WebCenter Core Bundle Patch 12.2.1.4.250904

20 38379810 OSS 19C BUNDLE PATCH 12.2.1.4.250902

21 38529283 SOA Stack Patch Bundle 12.2.1.4.251011 (Patch 38529263) (Interim Patch 38529265)

For an overview about the October 2025 Critical Patch Update release for all Oracle products:

Doc ID 3106514.1 - October 2025 Critical Patch Update - Executive Summary and Analysis

https://www.oracle.com/security-alerts/cpuoct2025.html

Doc ID 3106513.1 - Critical Patch Update for October 2025 Documentation Map

SOA 11g, 12c and 14c: Bundle Patch Reference (Doc ID 1485949.1)

Pre Patch Analysis:

Patch 18143322 Java SE 8 Update 471 or later for Linux, Windows, and Solaris.

Patch 38529263  SOA Stack Patch Bundle 12.2.1.4.251011

Patch 34809489  Fix for CVE-2021-42575 (July 2023)  - its already applied

Patch 36087199  SOA SPU for APR2024 for Edifecs  - its already applied

Patch 18143322: Oracle JDK 1.8.0

$ $ORACLE_HOME/OPatch/opatch lsinventory |grep -i 34809489

Patch  34809489     : applied on Fri Sep 29 01:16:51 EDT 2023

     34809489

$ $ORACLE_HOME/OPatch/opatch lsinventory |grep -i 36087199

Patch  36087199     : applied on Fri Jun 14 16:14:47 EDT 2024

====================

SOAOCTCPU2025/SOA_SPB_12.2.1.4.251011/tools/spbat/generic/SPBAT -->

$ jobs

[1]+  Running                 ./spbat.sh -phase precheck -oracle_home /u02/RAMfsoadev/local/fmw/122 > precheck_SOAOCT2025.txt &

[2025-11-27_12-02-16] Patch compatibility check with the environment is in progress...

[2025-11-27_12-15-19] CheckForNoOpPatches has Completed on /u02/hhsfsoadev/local/fmw/122 Home

[2025-11-27_12-16-39] PATCH 36426672 APPLY WILL BE SKIPPED AS IT IS NOT APPLICABLE FOR THIS ENVIRONMENT

[2025-11-27_12-16-40] PATCH 38412437 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-40] PATCH 38529283 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-41] PATCH 1221427 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-42] PATCH 35965629 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-43] PATCH 33093748 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-44] PATCH 36946553 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-44] PATCH 34065178 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-46] PATCH 37056593 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-48] PATCH 36789759 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-49] PATCH 36316422 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-50] PATCH 38199225 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-51] PATCH 37925688 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-52] PATCH 38348152 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-53] PATCH 38253323 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-54] PATCH 38059281 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-55] PATCH 38405729 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-56] PATCH 38073767 IS #ALREADY APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-56] PATCH 38400138 IS #NOT APPLIED# IN THE ENVIRONMENT

[2025-11-27_12-16-57] PATCH 38379810 IS #NOT APPLIED# IN THE ENVIRONMENT

cd /ood_repository/RAM_Tool_deployment/SOAJULYCPU2025/java64/

unzip p18143322_1800_Linux-x86-64.zip

tar -xvzf jdk-8u471-linux-x64.tar.gz -C .

Jdk upgrade:

$ cd /u02/ramfsoadev/local

$ cp -rp /ood_repository/RAM_Tool_deployment/SOAOCTCPU2025/java64/jdk1.8.0_471 .

rm jdk

ln -s /u02/ramfsoadev/local/jdk1.8.0_471 jdk

Check java version

 

$ which java

/u02/ramfsoadev/local/jdk/bin/java

<-- oracle:luframfsoadl211:/u02/ramfsoadev/local -->

$ java -version

java version "1.8.0_471"

Java(TM) SE Runtime Environment (build 1.8.0_471-b26)

Java HotSpot(TM) 64-Bit Server VM (build 25.471-b26, mixed mode)

<-- oracle:luframfsoadl211:/u02/ramfsoadev/local -->

/ood_repository/RAM_Tool_deployment/SOAOCTCPU2025/SOA_SPB_12.2.1.4.251011

nohup ./spbat.sh -phase apply -oracle_home /u02/ramfsoadev/local/fmw/122 > SPBAT_APPLY_Oct2025.log &

$ $ORACLE_HOME/OPatch/opatch lspatches

38529283;SOA Stack Patch Bundle 12.2.1.4.251011 (Patch 38529263)

38412437;WLS PATCH SET UPDATE 12.2.1.4.250910

38405729;FMW Thirdparty Bundle Patch 12.2.1.4.250909

38400138;WebCenter Core Bundle Patch 12.2.1.4.250904

38379810;OSS 19C BUNDLE PATCH 12.2.1.4.250902

38348152;ADF BUNDLE PATCH 12.2.1.4.250822

38253323;SOA Bundle Patch 12.2.1.4.250729

38199225;RDA release 25.4-20251021 for OFM 12.2.1.4 SPB

1221427;Coherence Cumulative Patch 12.2.1.4.27

37913472;One-off

38073767;OWSM BUNDLE PATCH 12.2.1.4.250613

38059281;OSB Bundle Patch 12.2.1.4.250611

37925688;JDBC19.27 BUNDLE PATCH 12.2.1.4.250514

37526122;DATABASE RELEASE UPDATE 19.26.0.0.0 FOR FMW DBCLIENT (37526122)

37677581;OHS (NATIVE) DB19C BUNDLE PATCH 12.2.1.4.250307

37476511;WLS STACK PATCH BUNDLE 12.2.1.4.250114 (Patch 37476485)

37078094;OAM WEBGATE DB19C BUNDLE PATCH 12.2.1.4.240919

36946553;FMWCONTROL BUNDLE PATCH 12.2.1.4.240814

37056593;One-off

36789759;FMW PLATFORM BUNDLE PATCH 12.2.1.4.240812

36087199;One-off

36316422;OPSS Bundle Patch 12.2.1.4.240220

31992635;One-off

35965629;ADR FOR WEBLOGIC SERVER 12.2.1.4.0 CPU JAN 2024

34809489;One-off

34065178;One-off

27516009;

27293599;

25549931;

OPatch succeeded.

OCI: Zero-Trust Packet Routing - Draft

 What is ZPR?

===> ZPR is a network-security control in OCI that introduces an intent-based security policy layer for packet routing (i.e., network traffic) based on resource attributes (“security attributes”) rather than just network topology, IPs, subnets, etc. 

Ref: https://docs.oracle.com/en-us/iaas/Content/zero-trust-packet-routing/

==>It is intended to decouple network architecture from network security. In other words, network changes (adding subnets, VCNs, routing fabric) should not inadvertently weaken the security posture because ZPR policies still govern “who can talk to whom” regardless of architecture. 

Ref: https://www.prnewswire.com/news-releases/oracle-strengthens-organizations-cloud-security-posture-by-separating-network-security-from-network-architecture-302243043.html 

==>The service was announced (in preview or GA) for OCI as of October 2024. 

Ref: https://docs.oracle.com/en-us/iaas/releasenotes/zero-trust-packet-routing/introducing-zpr.htm 

Local VCN Peering (Using LPGs) vs Remote Peering

 

 Technical Architecture

1. Local VCN Peering (LPGs):

• Uses Local Peering Gateways to connect two VCNs within the same region - Think of two playgrounds in the same neighborhood

• Traffic stays inside Oracle’s regional backbone, not traversing the internet.

• Routes must be configured in each VCN’s route table to send traffic through its LPG.

• Security rules and Network Security Groups (NSGs) apply to control access.

Example Use Cases:

• A “hub-and-spoke” network model within one region.

• Centralized network services (DNS, NAT, firewalls) accessed by other VCNs.

Key Points:

• Cannot connect VCNs in different regions.

• Simple, cost-effective, and low-latency.

• Each LPG can peer with one VCN at a time (one-to-one).

2. Remote VCN Peering:

• Uses Remote Peering Gateways (RPGs) to connect VCNs across regions - two playgrounds in different cities

• Communication occurs via OCI’s private backbone, not over the public internet.

• You set up an RPG in each VCN and establish a remote peering connection between them.

Example Use Cases:

• Multi-region deployments for disaster recovery.

• Cross-region data replication or centralized monitoring.

Key Points:

• Traffic remains private (never goes over the public internet).

• Slightly higher latency than local peering (due to inter-region distance).

• Each RPG can peer with only one other RPG.

Feature	Local VCN Peering (LPG)	Remote VCN Peering
Purpose	Connect VCNs within the same region	Connect VCNs across regions
Connection Type	Via Local Peering Gateways (LPGs)	Via Remote Peering Gateways (RPGs)
Latency	Lower latency (same-region routing)	Higher latency (cross-region routing)
Bandwidth	Uses regional network — typically higher	Limited by inter-region connectivity
Use Case	For multi-VCN architectures in a single region (e.g., shared services, segmentation)	For multi-region architectures (e.g., DR, cross-region data access)

Aspect	Local Peering	Remote Peering
Security Lists/NSGs	Required for traffic control between VCNs	Required for traffic control between VCNs
Route Tables	Must add route to LPG	Must add route to RPG
Policies (IAM)	Required if peering VCNs in different compartments	Required if VCNs are in different tenancies or compartments

Criteria	Local Peering (LPG)	Remote Peering (RPG)
Regions	Same	Different
Gateway Type	Local Peering Gateway (LPG)	Remote Peering Gateway (RPG)
Traffic Path	Regional backbone	OCI inter-region backbone
Performance	High (low latency)	Moderate (depends on distance)
Cost	No egress cost within region	Inter-region data transfer charges may apply
Setup Complexity	Simple	Slightly more complex
Common Use Case	Hub-and-spoke within region	Multi-region DR or replication

Google, Mozilla, and Apple choosing to no longer support Entrust as a publicly trusted certificate authority

Google, Mozilla, and Apple have all decided to stop trusting Entrust’s publicly issued certificates after specific cutoff dates, due to long-standing compliance issues.

Why the Distrust?

Browsers depend on Certificate Authorities (CAs) to uphold stringent security and industry standards. Entrust repeatedly failed to comply—examples include delay in revoking misissued certificates, poor incident reporting, and administrative errors. This pattern of “compliance failures” led browsers to lose confidence in Entrust’s ability to act responsibly and transparently.

Organization	Affected Certificates	Cutoff Date	Notes
Google Chrome	TLS certificates with Signed Certificate Timestamp (SCT) post-issue date	November 11, 2024	Entrust roots not trusted in Chrome Root Program for certs issued after Oct 31, 2024 (Entrust, DigiCert, The Wall Street Journal, Cloudflare Docs, The Cloudflare Blog, Enterprise Security Tech)
Apple (Safari and Root Store)	TLS, S/MIME, Timestamping, VMCs issued after specific date	November 15, 2024	Doesn’t affect certs issued on or before that date; broader certificate types impacted (Entrust, DigiCert)
Mozilla Firefox	TLS certificates via Entrust roots	November 30, 2024	Distrust due to repeated compliance issues and insufficient corrective action (Google Groups, Encryption Consulting, DigiCert, Wikipedia)

What This Means for Users

• Old Entrust Certificates Still Valid – Certificates issued on or before the cutoff dates will remain trusted until their natural expiry.

• New Entrust Certificates Likely to Fail – Certificates issued after the specified cutoff dates will trigger browser warnings or outright blockage.

For example:

• Chrome rejects SCT-dated Entrust certificates after Nov 11, 2024.

• Apple’s platforms (like Safari) reject Entrust TLS/S‑MIME certs issued after Nov 15, 2024.

• Firefox stops trusting Entrust-issued TLS certs from Nov 30, 2024. 

Entrust’s Reaction & Alternatives

Entrust publicly announced that certificates issued prior to the cutoff remain valid, and they’re working on fixing their internal processes—such as adding linting tools, establishing a change control board, and bolstering audit transparency.

Meanwhile, they’ve partnered with SSL.com to issue new certificates on Entrust’s behalf—that still rely on SSL.com roots to maintain browser trust. Cloudflare even enabled SSL.com certificates to ease migration.

--> Certificates issued before 31/10/2024 will remain valid. Certificate issued after 31/10/2024 will be no longer trusted by Google.

--> "Entrust made no moves to revoke or replace the affected certificates."

Summary

Google, Mozilla, and Apple have withdrawn trust in Entrust’s public roots, but each did so at slightly different times and with varying scopes:

• Chrome/Google — bye to Entrust-issued TLS certs after Nov 11, 2024.

• Apple/Safari — blocks wider certificate types (TLS, S/MIME, VMCs) after Nov 15, 2024.

• Firefox/Mozilla — distrust kicks in end-Nov 2024.

Entrust’s existing certificates issued before those dates remain valid. For new issuance, organizations should migrate to trusted alternatives—like SSL.com or DigiCert—to avoid browser compatibility issues.

Find rdf file name from EBS Concurrent Program

 

1) Go to system administrator > Concurrent > Program > Define.

Search for the program name and copy the executable name.

2) Use below query and paste the executable name.

SELECT APPLICATION_NAME,'$'||BASEPATH||'/'||'reports/US' Reports_Path,EXECUTION_FILE_NAME FROM APPS.FND_EXECUTABLES_VL A, APPS.FND_APPLICATION_VL B WHERE EXECUTION_METHOD_CODE='P' AND A.APPLICATION_ID=B.APPLICATION_ID AND EXECUTION_FILE_NAME like '%&RDF_NAME%';

General Queries

 SELECT 

    owner, 

    segment_name AS table_name,

    ROUND(SUM(bytes) / 1024 / 1024 / 1024, 2) AS size_gb

FROM 

    dba_segments

WHERE 

    segment_type = 'TABLE'

    AND segment_name in ('FV_GTAS1_PERIOD_BALANCES_V_BKPSK','FV_DACT_PERIOD_BALANCES_V_BKPSK','FV_DACT_ENDING_BALANCES_BKPSK','FV_GTAS_ENDING_BALANCES_BKPSK')

    AND owner = ('HHSBKP')

GROUP BY 

    owner, segment_name;

Size of the objects in Tablespace

SELECT

    owner,

    segment_name,

    segment_type,

    tablespace_name,

    ROUND(SUM(bytes) / 1024 / 1024/1024, 2) AS size_GB

FROM

    dba_segments

WHERE

    tablespace_name = 'UFMSD'

GROUP BY

    owner, segment_name, segment_type, tablespace_name

ORDER BY

    size_GB DESC;

Include Total and Used Space for That Tablespace:

SELECT

    df.tablespace_name,

    ROUND(df.total_space_mb, 2) AS total_space_mb,

    ROUND(NVL(fs.free_space_mb, 0), 2) AS free_space_mb,

    ROUND(df.total_space_mb - NVL(fs.free_space_mb, 0), 2) AS used_space_mb,

    ROUND((NVL(fs.free_space_mb, 0) / df.total_space_mb) * 100, 2) AS free_percent

FROM

    (SELECT

         tablespace_name,

         SUM(bytes) / 1024 / 1024 AS total_space_mb

     FROM

         dba_data_files

     WHERE

         tablespace_name = 'YOUR_TABLESPACE_NAME'

     GROUP BY

         tablespace_name) df

LEFT JOIN

    (SELECT

         tablespace_name,

         SUM(bytes) / 1024 / 1024 AS free_space_mb

     FROM

         dba_free_space

     WHERE

         tablespace_name = 'YOUR_TABLESPACE_NAME'

     GROUP BY

         tablespace_name) fs

ON

    df.tablespace_name = fs.tablespace_name;

SELECT name, total_mb/1024, free_mb/1024, usable_file_mb/1024, offline_disks 

FROM v$asm_diskgroup 

WHERE name = 'DATAC1';

SELECT type, SUM(bytes)/1024/1024/1024 AS size_gb

FROM v$asm_file

WHERE group_number = (SELECT group_number FROM v$asm_diskgroup WHERE name = 'DATAC1')

GROUP BY type;

ETCC

 1001  2025-06-25.14:32:16 ls -ltr *env

 1002  2025-06-25.14:32:21 . DRAM5I_EBSDE3.env

 1003  2025-06-25.14:32:31 mkdir -p $ORACLE_HOME/appsutil/ETCC

 1004  2025-06-25.14:32:40 cd $ORACLE_HOME/appsutil/ETCC

 1005  2025-06-25.14:32:49 unzip -o /ood_repository/RAM/Patches/CPU/Jan2025/p17537119_R12_GENERIC.zip

 1006  2025-06-25.14:33:06 source $ORACLE_HOME/DRAM5I_lufRAMfexanpq1-ram5g2.env

 1007  2025-06-25.14:33:18 ./checkDBpatch.sh

 1008  2025-06-25.14:34:07 more /u02/app/oracle/product/19.0.0.0/dbhome_2/appsutil/ETCC/log/checkDBpatch_118863.log