JPCERT-AT-2018-0029 JPCERT/CC 2018-07-18(Initial) 2018-07-23(Update) <<< JPCERT/CC Alert 2018-07-18 >>> Oracle Releases Critical Patch Update, July 2018 https://www.jpcert.or.jp/english/at/2018/at180029.html I. Overview On July 17, 2018 (local time), Oracle released critical patch updates for multiple Oracle products. Oracle Critical Patch Update Advisory - April 2018 https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html A remote attacker may cause the application to crash or execute arbitrary code by leveraging these vulnerabilities. Users of the affected products are recommended to update to the latest version appropriately. ** Update: July 23, 2018 Update ************************************** On July 23, 2018, Proof-of-Concept (PoC) code for vulnerabilities on Oracle WebLogic Server (CVE-2018-2893, CVE-2018-2894, CVE-2018-2998, CVE-2018-2933) has been made public. In addition, there is information that CVE-2018-2893 is reportedly a fix for the vulnerability CVE-2018-2628 which was released in April 2018. ********************************************************************** II. Affected Products Products affected by these vulnerabilities include: - Java SE JDK/JRE 8 Update 172 and earlier - Java SE JDK/JRE 10.0.1 and earlier - Oracle Database Server 11.2.0.4 - Oracle Database Server 12.1.0.2 - Oracle Database Server 12.2.0.1 - Oracle Database Server 18.1 - Oracle Database Server 18.2 - Oracle WebLogic Server 10.3.6.0 - Oracle WebLogic Server 12.1.3.0 - Oracle WebLogic Server 12.2.1.2 - Oracle WebLogic Server 12.2.1.3 However, since there are many other versions and products affected by these vulnerabilities, please refer to the information provided by Oracle for more details. In addition, there are cases where Java JRE is pre-installed on the PC or Weblogic is used in software products for servers. Please check if any of the affected products is included in the PCs or servers that you use. According to Oracle, Java SE, Java SE JDK/JRE 6 and 7, which had already ended Public Updates, are also affected by these vulnerabilities. III. Solution Oracle has released updates for each product. For Java SE and Weblogic, the following versions have been released: - Java SE JDK/JRE 8 Update 181 - Java SE JDK/JRE 10.0.2 - Oracle Database Server 11.2.0.4 * - Oracle Database Server 12.1.0.2 * - Oracle Database Server 12.2.0.1 * - Oracle Database Server 18.1 * - Oracle Database Server 18.2 * - Oracle WebLogic Server 10.3.6.0 * - Oracle WebLogic Server 12.1.3.0 * - Oracle WebLogic Server 12.2.1.2 * - Oracle WebLogic Server 12.2.1.3 * * Details of the updated versions are not available as of July 18th. Please check with Oracle, etc. for the latest information. Some applications that use affected products may not run properly after updating the software to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use. Java SE Downloads http://www.oracle.com/technetwork/java/javase/downloads/index.html Free Java Download https://java.com/en/download/ Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates. Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed, please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.) Verify Java and Find Out-of-Date Versions https://www.java.com/en/download/installed.jsp ** Update: July 23, 2018 Update ************************************** We recommend setting appropriate access restrictions (filters) for T3/T3s protocol to prevent misuse of CVE-2018-2628 and CVE-2018-2983 vulnerability in Weblogic. For more details on filter setting, please refer to the document from Oracle. Oracle Using Network Connection Filters https://docs.oracle.com/middleware/12213/wls/SCPRG/con_filtr.htm ********************************************************************** IV. References Oracle Corporation Oracle Critical Patch Update Advisory - July 2018 https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Oracle Corporation Release Notes for JDK 8 and JDK 8 Update Releases http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html Oracle Corporation Java Development Kit 10 Release Notes http://www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html Oracle Corporation Oracle Critical Patch Update for July 2018 https://blogs.oracle.com/portalsproactive/oracle-critical-patch-update-for-july-2018 Oracle Corporation Oracle Java SE Support Roadmap http://www.oracle.com/technetwork/java/eol-135779.html US-CERT Oracle Releases July 2018 Security Bulletin https://www.us-cert.gov/ncas/current-activity/2018/07/17/Oracle-Releases-July-2018-Security-Bulletin If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2018-07-18 First edition 2018-07-23 Updated "I. Overview" and "III. Solution" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/