JPCERT-AT-2017-0029
JPCERT/CC
2017-07-19
<<< JPCERT/CC Alert 2017-07-19 >>>
Oracle Releases Critical Patch Update for Java SE, July 2017
https://www.jpcert.or.jp/english/at/2017/at170029.html
I. Overview
Java SE JDK and JRE provided by Oracle contain multiple vulnerabilities.
A remote attacker may cause Java to crash or execute arbitrary code by
leveraging these vulnerabilities. For more information on the
vulnerabilities, please refer to the information provided by Oracle.
It is recommended to update the software to the latest version
provided by Oracle:
Oracle Critical Patch Update Advisory - July 2017
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
II. Affected Products
The following products and versions are affected by these vulnerabilities:
- Java SE JDK/JRE 8 Update 131 and earlier
* According to Oracle, Java SE JDK / JRE 6 and 7, which had already
ended Public Updates, are also affected by these vulnerabilities.
* PCs provided by some certain manufacturers may have JRE pre-installed.
Please check the PC that you are using for any installed versions
of JRE.
III. Solution
Oracle has released an update. Please update the software to the latest
version.
- Java SE JDK/JRE 8 Update 141
Java SE Downloads
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Free Java Download
https://java.com/en/download/
According to Oracle, beginning with the April 2017 Critical Patch
Update, JAR files signed using MD5 will no longer be considered
trusted. As a result, it will not be able to run by default, such as
in the case of Java applets, or Java Web Start applications. Please
consider shifting to secure algorithm if you are using the affected
MD5-signed JAR files.
For more details, please refer to the following:
Oracle JRE will no longer trust MD5-signed code by default
https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer
Oracle JRE and JDK Cryptographic Roadmap
https://www.java.com/en/jre-jdk-cryptoroadmap.html
Users of 64-bit Windows may have 32-bit and/or 64-bit versions of
JDK/JRE installed. Please check the versions installed on your system
and apply the appropriate updates.
Users can check the version of Java that they are using at the page
below. If both 32-bit and 64-bit versions of Java are installed,
please check the versions installed, using a 32-bit and 64-bit browser
respectively. (In environments where Java is not installed, there may
be a request to install Java. If you do not require Java, please do
not install.)
Verify Java and Find Out-of-Date Versions
https://www.java.com/en/download/installed.jsp
* Some applications that use Java may not run properly after updating
Java to the latest version. Please update to the latest version
after considering any possible impacts to applications that you
may use.
IV. References
Oracle Corporation
Oracle Critical Patch Update Advisory - July 2017
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Corporation
Release Notes for JDK 8 and JDK 8 Update Releases
http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html
Oracle Corporation
Oracle Critical Patch Update for July 2017 Released
https://blogs.oracle.com/portalsproactive/oracle-critical-patch-update-for-july-2017-released
Oracle Corporation
Oracle Java SE Support Roadmap
http://www.oracle.com/technetwork/java/eol-135779.html
US-CERT
Oracle Releases Security Bulletin
https://www.us-cert.gov/ncas/current-activity/2017/07/18/Oracle-Releases-Security-Bulletin
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top