This discussion is archived
5 Replies Latest reply: Apr 3, 2012 8:30 AM by gimbal2 RSS

Apply patch Java SE Critical Patch October 2011

user521219 Newbie
Currently Being Moderated
Hello,
Server: Red Hat 5 Enterprise Edition

java –version

java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)

According to Oracle information
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#PatchTable

If I had JDK and JRE on my server, I should apply patch.

I don't know if at my server is JDK installed. Is this JDK: java version "1.6.0_06" ??

I know that JRE is installed: Java(TM) SE Runtime Environment (build 1.6.0_06-b02)

I'm planning to apply patch: JDK 6 Update 29. (https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1361232.1)
I downloaded zip file for Linux. Readme file says:

------------------------- Begin Of File -------------------------------
Bug Number: 9553040

Product Name: JavaSoft JDK 1.6.0_27-fcs-b07

Platform: Linux-i586

Bug Information:

Instructions for installing this patch:
1. Extract JDK provided in this patch.
2. Upgrade the JDK within the Application Server $OH per the instructions in
one of the following Notes:

Note 272808.1 -- 10.1.2
Note 396096.1 -- 10.1.3
Note 444462.1 -- 10.1.3 (upgrading to JDK6)

3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1

Note: This patch download also contains the standalone JRE install. Follow the Oracle product instructions for using the
standalone JRE. If there are questions on using the JDK or JRE with Oracle products, please contact the specific
product Support team accordingly.

Note: Release Notes for the JDK can be found here: http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

------------------------- End Of File -------------------------------

It is not clear how to update or patch JRE. Do I have to?
Should I install patch?

Please, help.
  • 1. Re: Apply patch Java SE Critical Patch October 2011
    841035 Newbie
    Currently Being Moderated
    Java 6 update 6 is quite old -- probably at least 4 years. There have been a lot of security and performance enhancements since then.
  • 2. Re: Apply patch Java SE Critical Patch October 2011
    wolfeet Newbie
    Currently Being Moderated
    I'm in the same boat you are in. The wonderful world known as gov't IA vulnerabilities has identified the JDK within the database home as being a vulnerability and in need of a patch. If you are lucky enough to actually find the patch, the readme for the patch tells you to read another Note "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1". Unfortunately that note is nowhere to be found. It's referenced a number of times if you search within oracle support, but it is missing. In the mean time an outstanding CAT I finding with multiple vulnerabilities is hanging over the environment.
  • 3. Re: Apply patch Java SE Critical Patch October 2011
    gimbal2 Guru
    Currently Being Moderated
    wolfeet wrote:
    I'm in the same boat you are in. The wonderful world known as gov't IA vulnerabilities has identified the JDK within the database home as being a vulnerability and in need of a patch. If you are lucky enough to actually find the patch, the readme for the patch tells you to read another Note "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1". Unfortunately that note is nowhere to be found. It's referenced a number of times if you search within oracle support, but it is missing. In the mean time an outstanding CAT I finding with multiple vulnerabilities is hanging over the environment.
    No you're not. The thread is about upgrading Java as a standalone software product - that is no problem at all. What you are dealing with is the wisdom of Oracle to make a Java runtime an integral component of their DBMS (based upon your "JDK within the database" comment). In that context you should not be seeing the JDK as a standalone thing; there is only the Oracle DBMS, that it has a JDK built in is besides the point. Any security vulnerabilities there are, they are in the DBMS. The only security patches there are to apply are for the DBMS. Perhaps those security patches will also apply fixes to the built in JDK, who knows. You'd have to ask Oracle that.
  • 4. Re: Apply patch Java SE Critical Patch October 2011
    wolfeet Newbie
    Currently Being Moderated
    Hmm, ok I'll assume he's talking about a standalone version but I got to the same place he's at by trying to remediate the CAT I against the database. It turns out that "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1" is incorrect and should not be in the readme file. Note 418399.1 was an internal note and is not available. Oracle does not support manually patching the JDK/JRE within the database home, it is patched via their quarterly PSUs or CPUs. So the vulnerabilities are false positives.
  • 5. Re: Apply patch Java SE Critical Patch October 2011
    gimbal2 Guru
    Currently Being Moderated
    wolfeet wrote:
    It turns out that "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1" is incorrect and should not be in the readme file.
    Agreed!
    Oracle does not support manually patching the JDK/JRE within the database home
    With very good reason; you can't update the JDK while guaranteeing that you are not going to break the DBMS (for now; who knows what future versions of the DBMS will allow now that Java is in hands of Oracle).
    , it is patched via their quarterly PSUs or CPUs. So the vulnerabilities are false positives.
    Bingo.

    Btw: for future reference, do you have any articles that you base your new conclusions on that you can share?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points