This discussion is archived
3 Replies Latest reply: Jun 23, 2013 4:37 PM by Srini Chavali-Oracle RSS

Security Complaint about Java Version in Oracle Client

Paul V. Newbie
Currently Being Moderated

DB: 11.2.0.3
OS: Linux, kernal 2.6.18

 

The scanning tool that my security person uses for searching out "vulnerabilities" is getting lots of hits on the version of Java found in the Oracle clients on our Linux servers.  What are my options for upgrading the java version?  I apologize if this is a dumb question, I do not have much java experience.

  • 1. Re: Security Complaint about Java Version in Oracle Client
    Justin Cave Oracle ACE
    Currently Being Moderated

    Which JVM is the security tool complaining about (what is the directory path, for example)?

     

    My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools.  If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis.  They're only used by things like the OUI which only get invoked when someone wants to do something like install new software.  Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools. 

     

    If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools.  That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging. 

     

    Justin

  • 2. Re: Security Complaint about Java Version in Oracle Client
    Paul V. Newbie
    Currently Being Moderated

    Thank you for the response, the scanner reported the issue at this path:

    /opt/oracle/product/11.2.0/client_1/jdk/

     

    having this installed version:

    1.5.0_17

     

    and that the following versions would be OK, security-wise:

    1.5.0_32
    1.6.0_29
    1.7.0_01

     

    I attempted to apply the Oracle January SPU for Linux 11.2.0.3 (14841409) to the client and no patches were actually applied.  OPatch reported that each patch "is not needed".  Is there some other way to patch the Oracle installed Java version.

  • 3. Re: Security Complaint about Java Version in Oracle Client
    Srini Chavali-Oracle Oracle ACE Director
    Currently Being Moderated

    You cannot update the JDK version that ships with Oracle binaries. Pl see this MOS Doc

     

    Is It Supported to Update /Upgrade the Default JDK/JRE in Oracle Home? [ID 1449674.1]

     

    Pl see Table 1 in the README for patch 14841409 - was SPU for Oct 2012 applied ? If so, there are no new client related fixes in the Jan 2013 SPU

     

    HTH
    Srini