3 Replies Latest reply on Jun 23, 2013 11:37 PM by Srini Chavali-Oracle

    Security Complaint about Java Version in Oracle Client

    Paul V.

      OS: Linux, kernal 2.6.18


      The scanning tool that my security person uses for searching out "vulnerabilities" is getting lots of hits on the version of Java found in the Oracle clients on our Linux servers.  What are my options for upgrading the java version?  I apologize if this is a dumb question, I do not have much java experience.

        • 1. Re: Security Complaint about Java Version in Oracle Client

          Which JVM is the security tool complaining about (what is the directory path, for example)?


          My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools.  If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis.  They're only used by things like the OUI which only get invoked when someone wants to do something like install new software.  Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools. 


          If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools.  That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging. 



          • 2. Re: Security Complaint about Java Version in Oracle Client
            Paul V.

            Thank you for the response, the scanner reported the issue at this path:



            having this installed version:



            and that the following versions would be OK, security-wise:



            I attempted to apply the Oracle January SPU for Linux (14841409) to the client and no patches were actually applied.  OPatch reported that each patch "is not needed".  Is there some other way to patch the Oracle installed Java version.

            • 3. Re: Security Complaint about Java Version in Oracle Client
              Srini Chavali-Oracle

              You cannot update the JDK version that ships with Oracle binaries. Pl see this MOS Doc


              Is It Supported to Update /Upgrade the Default JDK/JRE in Oracle Home? [ID 1449674.1]


              Pl see Table 1 in the README for patch 14841409 - was SPU for Oct 2012 applied ? If so, there are no new client related fixes in the Jan 2013 SPU