wolfeet wrote:No you're not. The thread is about upgrading Java as a standalone software product - that is no problem at all. What you are dealing with is the wisdom of Oracle to make a Java runtime an integral component of their DBMS (based upon your "JDK within the database" comment). In that context you should not be seeing the JDK as a standalone thing; there is only the Oracle DBMS, that it has a JDK built in is besides the point. Any security vulnerabilities there are, they are in the DBMS. The only security patches there are to apply are for the DBMS. Perhaps those security patches will also apply fixes to the built in JDK, who knows. You'd have to ask Oracle that.
I'm in the same boat you are in. The wonderful world known as gov't IA vulnerabilities has identified the JDK within the database home as being a vulnerability and in need of a patch. If you are lucky enough to actually find the patch, the readme for the patch tells you to read another Note "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1". Unfortunately that note is nowhere to be found. It's referenced a number of times if you search within oracle support, but it is missing. In the mean time an outstanding CAT I finding with multiple vulnerabilities is hanging over the environment.
It turns out that "3. Upgrade the JDK within the Database $OH per the instructions in Note 418399.1" is incorrect and should not be in the readme file.
Oracle does not support manually patching the JDK/JRE within the database homeWith very good reason; you can't update the JDK while guaranteeing that you are not going to break the DBMS (for now; who knows what future versions of the DBMS will allow now that Java is in hands of Oracle).
, it is patched via their quarterly PSUs or CPUs. So the vulnerabilities are false positives.Bingo.