Monday, May 18, 2026

ADOP Is Not Enough — The Java Patching Step Most EBS DBAs Skip

ADOP Is Not Enough — The Java Patching Step Most EBS DBAs Skip | punitoracledba
Oracle EBS DBA Series  ·  May 2026  ·  punitoracledba.blogspot.com

ADOP Is Not Enough — The Java Patching Step Most EBS DBAs Skip

Patch 37171025  |  EJCPUC  |  Oracle EBS R12.2  |  CPU April 2026  |  8 min read

If you applied the April 2026 CPU to your Oracle EBS R12.2 environment using ADOP and called it done — you are not finished. Java patching is a separate step that many DBAs miss entirely, and it leaves real security vulnerabilities open even after a successful ADOP cycle.

This post explains what EJCPUC is, why Java homes in EBS R12.2 need their own patching process, how to run Patch 37171025, and how to read the output report correctly.

Key point: ADOP patches EBS application code, forms, and database objects. It does not patch the Java runtime environments that WebLogic, OAF, Forms, and other EBS components depend on. Those are separate and require their own patching process.

What Is EJCPUC?

EJCPUC stands for EBS Java Critical Patch Update Checker. It is an Oracle-provided shell script that scans every Java home in your EBS environment, reports the current Java CPU level of each one, and tells you exactly which Java security patches are missing.

Oracle first released EJCPUC with the October 2024 CPU and has updated it every quarter since. The April 2026 version is available as Patch 37171025 — the same patch number since initial release, updated in place each quarter with new content and checks.

Source: Oracle EBS Technology Blog — April 2026 Updates to EBS Java Critical Patch Update Checker (EJCPUC), published 27 April 2026 by Elke Phelps, Product Management Director, Oracle EBS Applications Technology Group. blogs.oracle.com/ebstech

Why Java Patching Is a Separate Step

A typical R12.2 environment contains multiple Java homes, each serving a different component. Each has its own Java version and CPU patch level — completely independent of what ADOP does to the EBS application tier.

Application Tier Java Homes

  • WebLogic / FMW Java home  —  $FMW_HOME/jdk
  • EBS application Java home  —  $JAVA_HOME (applmgr user)
  • Oracle HTTP Server Java home  —  $OHS_ORACLE_HOME/jdk
  • Forms and Reports Java home  —  $ORACLE_HOME/jdk

Database Tier Java Homes

  • DB Oracle home JDK  —  $ORACLE_HOME/jdk
  • Oracle JVM inside the database  —  ojvm component
  • Grid infrastructure Java (RAC environments)  —  $GRID_HOME/jdk

It is entirely possible to have one Java home at the January 2026 CPU level while another is still at July 2025. EJCPUC discovers all Java homes on a node and reports each one individually so nothing is missed.

Because each Java home is independent, you must run EJCPUC on both the application tier and the database tier and apply the recommended patches to each home separately using OPatch.

What EJCPUC Does

  1. Discovers all Java homes in the EBS environment on that node
  2. Reads the current Java version and CPU patch level of each home
  3. Compares each home against the April 2026 CPU requirements built into the tool
  4. Generates a report listing every Java home, its current level, and the patches needed to bring it up to date

This is why you must always download the latest version of EJCPUC each quarter. Older versions do not know about patches added after their release date and will silently miss them.

Step 1 — Download Patch 37171025

Log in to My Oracle Support at support.oracle.com and search for Patch 37171025. Download it fresh each quarter even if you have a copy from last quarter on disk. The content changes every CPU cycle.

Stage the patch on your server 
# Create a staging directory
mkdir -p /stage/ejcpuc

# Unzip the downloaded patch file
unzip p37171025_R12_GENERIC.zip -d /stage/ejcpuc

# Confirm ejcpuc.sh and README.txt are present
ls -la /stage/ejcpuc/

# Always read the README before running
less /stage/ejcpuc/README.txt

Step 2 — Run on the Application Tier

Log in as applmgr on the primary application tier node. Source the EBS run environment first, then run the script.

Application tier — run as applmgr 
# Source the EBS run environment
source /u01/oracle/R122/EBSapps.env run

# Navigate to the EJCPUC directory
cd /stage/ejcpuc

# Make the script executable if needed
chmod +x ejcpuc.sh

# Run the checker
./ejcpuc.sh

# Locate the output report file
ls -la ejcpuc_report*.txt

If you have multiple application tier nodes, run EJCPUC on each node separately. Java home configurations can differ between nodes.

Step 3 — Run on the Database Tier

This is the step most DBAs skip. The database tier has its own Java homes including the JDK bundled with the Oracle DB home and the Oracle JVM inside the database. Both need to be at the current CPU level.

Database tier — run as the oracle OS user 
# Copy EJCPUC to the DB tier node
scp -r /stage/ejcpuc oracle@dbserver:/stage/ejcpuc

# Log in to the database tier node
ssh oracle@dbserver

# Set the Oracle home environment
export ORACLE_HOME=/u01/oracle/product/19.0.0/dbhome_1
export PATH=$ORACLE_HOME/bin:$PATH

# Navigate and run EJCPUC
cd /stage/ejcpuc
./ejcpuc.sh

# Locate the DB tier report
ls -la ejcpuc_report*.txt

Step 4 — Reading the EJCPUC Report

The report has three sections. Here is exactly what to look for in each one.

Section 1 — Environment summary

Shows the hostname, OS user, run date, and EBS release detected. Verify this matches the node you intended to scan before reading further.

Section 2 — Java home discovery and current CPU level

Lists every Java home found on the node with its path, Java version, and the CPU patch level currently applied. This is where you see which homes are up to date and which ones are behind.

Sample Section 2 output [Java Home 1] Path: /u01/oracle/R122/fs1/FMW_Home/jdk Version: Java 11.0.22 CPU Level: January 2026 -- one CPU behind, needs updating [Java Home 2] Path: /u01/oracle/R122/EBSapps/comn/util/jdk Version: Java 11.0.22 CPU Level: July 2025 -- two CPUs behind, apply urgently [Java Home 3] Path: /u01/oracle/R122/fs2/FMW_Home/jdk Version: Java 11.0.22 CPU Level: April 2026 -- up to date, no action needed

Section 3 — Recommended patches

This is your action list. Every patch listed here must be applied. The section gives you the patch number and the exact Java home it applies to. There are no optional items in this list.

Sample Section 3 output 
RECOMMENDED PATCHES:

Patch 36583222 - Java 11 CPU April 2026
  Apply to: /u01/oracle/R122/fs1/FMW_Home/jdk

Patch 36583222 - Java 11 CPU April 2026
  Apply to: /u01/oracle/R122/EBSapps/comn/util/jdk

No patches required:
  /u01/oracle/R122/fs2/FMW_Home/jdk  (already at April 2026)

How to interpret the CPU level in the report

CPU Level Shown Status Action Required
April 2026 Up to date None — this Java home is fully patched
January 2026 One CPU behind Apply the April 2026 Java patch from Section 3
October 2025 or older Critical Apply immediately — multiple vulnerabilities are open
Not recognized Unknown Check README for manual scan steps — raise SR if needed

Step 5 — Applying the Recommended Java Patches

Java CPU patches for EBS R12.2 Java homes are applied using OPatch — not ADOP. Each Java home is patched independently using the patch number from EJCPUC Section 3.

Important: In R12.2 you have two filesystems — fs1 and fs2. Java homes exist in both. Apply Java CPU patches to the Java homes in both filesystems, not just the active run filesystem.

Apply Java CPU patch to each Java home using OPatch 
# Point to the Java home being patched
export JAVA_HOME=/u01/oracle/R122/fs1/FMW_Home/jdk
export PATH=$JAVA_HOME/bin:$PATH

# Confirm you are pointing to the correct Java
java -version

# Unzip the Java CPU patch from MOS
unzip p36583222_1102_Linux-x86-64.zip -d /stage/java_cpu

# Apply using OPatch
cd /stage/java_cpu/36583222
$JAVA_HOME/../OPatch/opatch apply

# Verify patch was applied successfully
$JAVA_HOME/../OPatch/opatch lsinventory | grep 36583222

# Repeat for every Java home listed in EJCPUC Section 3

Step 6 — Run EJCPUC Again After Cutover

Oracle explicitly recommends running EJCPUC a second time after applying patches and performing ADOP cutover. This confirms that all recommended patches were applied successfully and gives you a clean report to save as compliance evidence.

After the second run, Section 3 should show no remaining recommended patches. Save both reports — the before and after — as part of your change management record.

When to Run EJCPUC

When Why
Before every quarterly CPU cycle Identify what Java patches are needed before your maintenance window starts
After ADOP cutover Confirm all patches applied correctly — this is your audit and compliance evidence
Any time you need to report Java CPU level Security audits, compliance reviews, management reporting

Common Mistakes to Avoid

Mistake What to Do Instead
Running EJCPUC on the application tier only Run on both application tier and database tier every time
Reusing last quarter's EJCPUC download Download Patch 37171025 fresh at the start of every CPU cycle
Only patching the run filesystem Java homes Patch Java homes in both fs1 and fs2
Not running EJCPUC after cutover Run before and after — save both reports as evidence
Assuming ADOP patches Java homes Java CPU patches are applied separately via OPatch on each Java home

Key References

Reference Description
Patch 37171025 EJCPUC — EBS Java Critical Patch Update Checker. Download fresh every quarter.
Patch 35583866 ECPUC — EBS application tier patch checker. Run alongside EJCPUC.
MOSFS KA923 Always-current EBS CPU availability document. Bookmark permanently.
MOSFS KA1539 EBS R12.2 CPU April 2026 — complete patch list and prerequisites.
MOSFS KA1033 FAQ: Oracle E-Business Suite Security.

punitoracledba.blogspot.com  ·  Oracle EBS DBA Series  ·  May 2026

Source: blogs.oracle.com/ebstech — Oracle E-Business Suite Technology Blog

Next CPU release: 21 July 2026

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)