Forum Stats

  • 3,825,018 Users
  • 2,260,455 Discussions
  • 7,896,382 Comments

Discussions

Java and Oracle Database CVE's

Hello. 

Hope Oracle team will help me with a few questions about Oracle Database/Oracle Database Client and Java inside it, because i need it official.

As I understand Java is a component in Oracle Database/Oracle Database software. 

We have Oracle Database Client 19c installed and separately installed Java 8_275 on the host. Then we identified that on the location of Oracle Database Client 19c (/u01/app/oracle/product/19.0.0/client_1/jdk/bin/java) Java version is 8_201 and it's likely vilnerable to such CVE's:

CVE-2020-14664 

CVE-2020-14583 

CVE-2020-14593 

CVE-2020-14562 

CVE-2020-14621 

CVE-2020-14556 

CVE-2020-14573 

CVE-2020-14581 

CVE-2020-14578 

CVE-2020-14579 

CVE-2020-14577

In my opinion if the component is vulnerable then the software is vulnerable and the host is vulnerable too. 

But by the official article (https://www.oracle.com/security-alerts/cpujul2020.html) only Java itself is vulnerable to this CVE's.

So the main question - is the Java inside Oracle Database or Oracle Database Client vulnerable to listed CVE's and is the host vulnerable to listed CVE's? 

User_KVG99