JPCERT-AT-2017-0017 JPCERT/CC 2017-04-19 <<< JPCERT/CC Alert 2017-04-19 >>> Oracle Releases Critical Patch Update for Java SE, April 2017 https://www.jpcert.or.jp/english/at/2017/at170017.html I. Overview Java SE JDK and JRE provided by Oracle contain multiple vulnerabilities. A remote attacker may cause Java to crash or execute arbitrary code by leveraging these vulnerabilities. For more information on the vulnerabilities, please refer to the information provided by Oracle. It is recommended to update the software to the latest version provided by Oracle: Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html II. Affected Products The following products and versions are affected by these vulnerabilities: - Java SE JDK/JRE 8 Update 121 and earlier * According to Oracle, Java SE JDK / JRE 6 and 7, which had already ended Public Updates, are also affected by these vulnerabilities. * PCs provided by some certain manufacturers may have JRE pre-installed. Please check the PC that you are using for any installed versions of JRE. III. Solution Oracle has released an update. Please update the software to the latest version. - Java SE JDK/JRE 8 Update 131 Java SE Downloads http://www.oracle.com/technetwork/java/javase/downloads/index.html Free Java Download https://java.com/en/download/ According to Oracle, beginning with the April 2017 Critical Patch Update, JAR files signed using MD5 will no longer be considered trusted. As a result, it will not be able to run by default, such as in the case of Java applets, or Java Web Start applications. Please consider shifting to secure algorithm if you are using the affected MD5-signed JAR files. For more details, please refer to the following: Oracle JRE will no longer trust MD5-signed code by default https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer Oracle JRE and JDK Cryptographic Roadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates. Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed, please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.) Verify Java and Find Out-of-Date Versions https://www.java.com/en/download/installed.jsp * Some applications that use Java may not run properly after updating Java to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use. IV. References Oracle Corporation Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Oracle Corporation Release Notes for JDK 8 and JDK 8 Update Releases http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html Oracle Corporation Oracle Critical Patch Update for April 2017 Released https://blogs.oracle.com/PortalsProactive/entry/oracle_critical_patch_update_for12 Oracle Corporation Oracle Java SE Support Roadmap http://www.oracle.com/technetwork/java/eol-135779.html US-CERT Oracle Releases Security Bulletin https://www.us-cert.gov/ncas/current-activity/2017/04/18/Oracle-Releases-Security-Bulletin If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/