Oracle E-Business Suite 12.2 Security Alert CVE-2025-61882
This post is just a short write up on how to apply the fix for CVE-2025-61882 to an Oracle E-Business Suite 12.2 installation.
Table of Contents
Oracle recommends to install the patches for CVE-2025-61882 as soon as possible. The installation of the E-Business Suite system that we will use is described here.
Preparation
We need to download the following patches. I placed the zip files in the folder /sw/ora_ebs/CVE-2025-61882.
Patch 38501230 requires that at least Critical Patch Update OCT 2023 is installed. We can verify the current installed CPU by logging in to the system as sysadmin => Functional Administrator => Configuration Manager => check “Oracle E-Business Suite CPU Patch Level Check” and select Check. After the check has finished we can see that we are safe because we already have CPU 2024/04 applied:
Installation
We will now start to apply the patches. It is necessary to restart EBS during the installation. The whole process will take about 30 minutes.
# as oracle
hn=`hostname|awk -F. {'print $1'}`
. /d01/oracle/VIS/fs1/EBSapps/appl/VIS_$hn.env
# stage patches
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501230_R12.TXK.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501349_R12.CAC.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501757_R12.XDO.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
# install patch 38501230 and 38501349
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501230 apply_mode=hotpatch
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501349 apply_mode=hotpatch
# stop and restart EBS
(echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstpall.sh -mode=allnodes
(echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstrtal.sh -mode=allnodes
# Now the sysadmin password should be changed. We will skip that.
# apply patch 38501757
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501757 apply_mode=hotpatch
# run sql script
. /d01/oracle/VIS/19.3.0/VISCDB_$hn.env; unset TWO_TASK
sqlplus apps/apps@//$hn/vis @$XDO_TOP/patch/115/sql/bug38501757_diag.sql <<EOF
EOF
Sample Output (click to expand):
[oracle@lin7 ~]$ # as oracle
[oracle@lin7 ~]$ hn=`hostname|awk -F. {'print $1'}`
. /d01/oracle/VIS/fs1/EBSapps/appl/VIS_$hn.env
# stage patches
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501230_R12.TXK.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501349_R12.CAC.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
[oracle@lin7 ~]$ . /d01/oracle/VIS/fs1/EBSapps/appl/VIS_$hn.env
unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501757_R12.XDO.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
# install patch 38501230 and 38501349
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501230 apply_mode=hotpatch
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501349 apply_mode=hotpatch
# stop and restart EBS
(echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstpall.sh -mode=allnodes
(echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstrtal.sh -mode=allnodes
# Now the sysadmin password should be changed. We will skip that.
# apply patch 38501757
(echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501757 apply_mode=hotpatch
# run sql script
. /d01/oracle/VIS/19.3.0/VISCDB_$hn.env; unset TWO_TASK
sqlplus apps/apps@//$hn/vis @$XDO_TOP/patch/115/sql/bug38501757_diag.sql <<EOF
EOF
[oracle@lin7 ~]$ # stage patches
[oracle@lin7 ~]$ unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501230_R12.TXK.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
[oracle@lin7 ~]$ unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501349_R12.CAC.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
[oracle@lin7 ~]$ unzip -oq /sw/ora_ebs/CVE-2025-61882/p38501757_R12.XDO.C_R12_GENERIC.zip -d /d01/oracle/VIS/fs_ne/EBSapps/patch/
[oracle@lin7 ~]$ # install patch 38501230 and 38501349
[oracle@lin7 ~]$ (echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501230 apply_mode=hotpatch
stty: 'standard input': Inappropriate ioctl for device
Enter the APPS password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the EBS_SYSTEM password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the WLSADMIN password:stty: 'standard input': Inappropriate ioctl for device
Validating credentials.
Initializing.
Run Edition context : /d01/oracle/VIS/fs1/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch edition context: /d01/oracle/VIS/fs2/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch file system free space: 114.22 GB
Validating system setup.
Node registry is valid.
Checking for existing adop sessions.
[INFO] ICM is not down
[INFO] Connection to http://lin7.fritz.box:8000 successful
[WARNING] You should only specify hotpatch mode when directed to by the patch readme.
Continuing with the existing session [Session ID: 5].
===========================================================================
ADOP (C.Delta.16)
Session ID: 5
Node: lin7
Phase: apply
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_153116/adop.log
===========================================================================
Applying patch 38501230.
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_153116/apply/lin7/38501230/log/u38501230.log
Running finalize actions for the patches being applied.
Log: @ADZDSHOWLOG.sql "2025/10/10 15:37:13"
Running cutover actions for the patches being applied.
Creating workers to process cutover DDL in parallel
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_153116/apply/lin7/log/cutover.log
Loading JAR files into database.
Loading JAR files into database
No JAR files found to load
Performing database cutover in Quick mode
Generating post apply reports.
Generating log report.
Output: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_153116/apply/lin7/adzdshowlog.out
The apply phase completed successfully.
adop exiting with status = 0 (Success)
stty: 'standard input': Inappropriate ioctl for device
[oracle@lin7 ~]$ (echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501349 apply_mode=hotpatch
stty: 'standard input': Inappropriate ioctl for device
Enter the APPS password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the EBS_SYSTEM password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the WLSADMIN password:stty: 'standard input': Inappropriate ioctl for device
Validating credentials.
Initializing.
Run Edition context : /d01/oracle/VIS/fs1/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch edition context: /d01/oracle/VIS/fs2/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch file system free space: 114.20 GB
Validating system setup.
Node registry is valid.
Checking for existing adop sessions.
[INFO] ICM is not down
[INFO] Connection to http://lin7.fritz.box:8000 successful
[WARNING] You should only specify hotpatch mode when directed to by the patch readme.
Continuing with the existing session [Session ID: 5].
===========================================================================
ADOP (C.Delta.16)
Session ID: 5
Node: lin7
Phase: apply
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154104/adop.log
===========================================================================
Applying patch 38501349.
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154104/apply/lin7/38501349/log/u38501349.log
Running finalize actions for the patches being applied.
Log: @ADZDSHOWLOG.sql "2025/10/10 15:42:39"
Running cutover actions for the patches being applied.
Creating workers to process cutover DDL in parallel
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154104/apply/lin7/log/cutover.log
Loading JAR files into database.
Loading JAR files into database
No JAR files found to load
Performing database cutover in Quick mode
Generating post apply reports.
Generating log report.
Output: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154104/apply/lin7/adzdshowlog.out
The apply phase completed successfully.
adop exiting with status = 0 (Success)
stty: 'standard input': Inappropriate ioctl for device
[oracle@lin7 ~]$ # stop and restart EBS
[oracle@lin7 ~]$ (echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstpall.sh -mode=allnodes
You are running adstpall.sh version 120.22.12020000.7
Enter the APPS username: stty: 'standard input': Inappropriate ioctl for device
Enter the APPS password:
Enter the WebLogic Server password:
stty: 'standard input': Inappropriate ioctl for device
Running command in node lin7
Running command in node lin7
All enabled services on this node are stopped.
adstpall.sh:Exiting with status 0
adstpall.sh: check the logfile /d01/oracle/VIS/fs1/inst/apps/VIS_lin7/logs/appl/admin/log/adstpall.log for more information ...
[oracle@lin7 ~]$ (echo apps; echo apps; echo welcome1)|$ADMIN_SCRIPTS_HOME/adstrtal.sh -mode=allnodes
You are running adstrtal.sh version 120.24.12020000.11
Enter the APPS username: stty: 'standard input': Inappropriate ioctl for device
Enter the APPS password:
Enter the WebLogic Server password:
stty: 'standard input': Inappropriate ioctl for device
Running command in node lin7
All enabled services for this node are started.
adstrtal.sh: Exiting with status 0
adstrtal.sh: check the logfile /d01/oracle/VIS/fs1/inst/apps/VIS_lin7/logs/appl/admin/log/adstrtal.log for more information ...
[oracle@lin7 ~]$ # Now the sysadmin password should be changed. We will skip that.
[oracle@lin7 ~]$ # apply patch 38501757
[oracle@lin7 ~]$ (echo apps; echo manager; echo welcome1)|adop phase=apply patches=38501757 apply_mode=hotpatch
stty: 'standard input': Inappropriate ioctl for device
Enter the APPS password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the EBS_SYSTEM password:stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
Enter the WLSADMIN password:stty: 'standard input': Inappropriate ioctl for device
Validating credentials.
Initializing.
Run Edition context : /d01/oracle/VIS/fs1/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch edition context: /d01/oracle/VIS/fs2/inst/apps/VIS_lin7/appl/admin/VIS_lin7.xml
Patch file system free space: 114.19 GB
Validating system setup.
Node registry is valid.
Checking for existing adop sessions.
[INFO] ICM is not down
[INFO] Connection to http://lin7.fritz.box:8000 successful
[WARNING] You should only specify hotpatch mode when directed to by the patch readme.
Continuing with the existing session [Session ID: 5].
===========================================================================
ADOP (C.Delta.16)
Session ID: 5
Node: lin7
Phase: apply
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154850/adop.log
===========================================================================
Applying patch 38501757.
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154850/apply/lin7/38501757/log/u38501757.log
Running finalize actions for the patches being applied.
Log: @ADZDSHOWLOG.sql "2025/10/10 15:49:43"
Running cutover actions for the patches being applied.
Creating workers to process cutover DDL in parallel
Log: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154850/apply/lin7/log/cutover.log
Loading JAR files into database.
Loading JAR files into database
No JAR files found to load
Performing database cutover in Quick mode
Generating post apply reports.
Generating log report.
Output: /d01/oracle/VIS/fs_ne/EBSapps/log/adop/5/20251010_154850/apply/lin7/adzdshowlog.out
The apply phase completed successfully.
adop exiting with status = 0 (Success)
stty: 'standard input': Inappropriate ioctl for device
[oracle@lin7 ~]$ # run sql script
[oracle@lin7 ~]$ . /d01/oracle/VIS/19.3.0/VISCDB_$hn.env; unset TWO_TASK
[oracle@lin7 ~]$ sqlplus apps/apps@//$hn/vis @$XDO_TOP/patch/115/sql/bug38501757_diag.sql <<EOF
> EOF
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 10 15:50:45 2025
Version 19.26.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Last Successful login time: Fri Oct 10 2025 15:50:44 +02:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.26.0.0.0
=========================================================================
= Template Definition Information from XDO_TEMPLATES_B
=========================================================================
no rows selected
=========================================================================
= Template Definition Information from XDO_TEMPLATES_TL
=========================================================================
no rows selected
=========================================================================
= Data Definition Information from XDO_DS_DEFINTIONS_B
=========================================================================
no rows selected
=========================================================================
= Data Definition Information from XDO_DS_DEFINTIONS_TL
=========================================================================
no rows selected
=========================================================================
= Information from XDO_LOBS
=========================================================================
no rows selected
=========================================================================
= Data Definition Information from XDO_TEMPLATE_FIELDS
=========================================================================
no rows selected
=========================================================================
= Data Definition Information from XDO_TRANS_UNITS
=========================================================================
no rows selected
SQL>
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.26.0.0.0
[oracle@lin7 ~]$That’s all. You are now protected against this threat. 🙂 . Please let me know if you need help in patching your Oracle E-Business Suite system.
Leave a Reply