JPCERT-AT-2018-0018 JPCERT/CC 2018-04-18 <<< JPCERT/CC Alert 2018-04-18 >>> Oracle Releases Critical Patch Update, April 2018 https://www.jpcert.or.jp/english/at/2018/at180018.html I. Overview On April 17, 2018 (local time), Oracle released critical patch updates for multiple Oracle products. Oracle Critical Patch Update Advisory - April 2018 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html A remote attacker may cause the application to crash or execute arbitrary code by leveraging these vulnerabilities. Users of the affected products are recommended to update to the latest version appropriately. II. Affected Products Products affected by these vulnerabilities include: - Java SE JDK/JRE 8 Update 162 and earlier - Java SE JDK/JRE 10 - Oracle WebLogic Portal versions prior to 10.3.6.0.0 SPU - Oracle WebLogic Server versions prior to 10.3.6.0.180417 PSU - Oracle WebLogic Server versions prior to 12.1.3.0.180417 PSU - Oracle WebLogic Server versions prior to 12.2.1.2.180417 PSU - Oracle WebLogic Server versions prior to 12.2.1.3.180417 PSU However, since there are many other versions and products affected by these vulnerabilities, please refer to the information provided by Oracle for more details. In addition, there are cases where Java JRE is pre-installed on the PC or Weblogic is used in software products for servers. Please check if any of the affected products is included in the PCs or servers that you use. According to Oracle, Java SE, Java SE JDK/JRE 6 and 7, which had already ended Public Updates, are also affected by these vulnerabilities. As for Java SE JDK/JRE 9, Public Updates ended in March 2018. III. Solution Oracle has released updates for each product. For Java SE and Weblogic, the following versions have been released: - Java SE JDK/JRE 8 Update 171 - Java SE JDK/JRE 10.0.1 - Oracle WebLogic Portal 10.3.6.0.0 SPU - Oracle WebLogic Server 10.3.6.0.180417 PSU - Oracle WebLogic Server 12.1.3.0.180417 PSU - Oracle WebLogic Server 12.2.1.2.180417 PSU - Oracle WebLogic Server 12.2.1.3.180417 PSU Some applications that use affected products may not run properly after updating the software to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use. In addition, for this Java SE JDK/JRE 8 Update, a patch set update (8u172), including all of 8u171 plus additional features, is available for developers and users. Please consider updating to 8u172 as necessary, since it also includes fixes for issues other than these vulnerabilities. Java SE Downloads http://www.oracle.com/technetwork/java/javase/downloads/index.html Free Java Download https://java.com/en/download/ Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates. Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed, please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.) Verify Java and Find Out-of-Date Versions https://www.java.com/en/download/installed.jsp IV. References Oracle Corporation Oracle Critical Patch Update Advisory - April 2018 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Oracle Corporation Release Notes for JDK 8 and JDK 8 Update Releases http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html Oracle Corporation Java Development Kit 10 Release Notes http://www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html Oracle Corporation April 2018 Fusion Middleware Proactive Patches Released https://blogs.oracle.com/portalsproactive/april-2018-fusion-middleware-proactive-patches-released-v2 Oracle Corporation Oracle Critical Patch Update for April 2018 https://blogs.oracle.com/portalsproactive/oracle-critical-patch-update-for-april-2018 Oracle Corporation Oracle Java SE Support Roadmap http://www.oracle.com/technetwork/java/eol-135779.html US-CERT Oracle Releases April 2018 Security Bulletin https://www.us-cert.gov/ncas/current-activity/2018/04/17/Oracle-Releases-April-2018-Security-Bulletin If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/