JPCERT-AT-2018-0042
                                                             JPCERT/CC
                                                    2018-10-17(Initial)
                                                    2018-10-19(Update)

                  <<< JPCERT/CC Alert 2018-10-17 >>>

          Oracle Releases Critical Patch Update, October 2018

        https://www.jpcert.or.jp/english/at/2018/at180042.html


I. Overview
On October 16, 2018 (local time), Oracle released critical patch updates
for multiple Oracle products.

    Oracle Critical Patch Update Advisory - October 2018
    https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

A remote attacker may cause the application to crash or execute
arbitrary code by leveraging these vulnerabilities. Users of the
affected products are recommended to update to the latest version
appropriately.


II. Affected Products
Products affected by these vulnerabilities include:

  - Java SE JDK/JRE 8 Update 182 and earlier *
  - Java SE JDK/JRE 11
  - Oracle Database Server 11.2.0.4
  - Oracle Database Server 12.1.0.2
  - Oracle Database Server 12.2.0.1
  - Oracle Database Server 18c
  - Oracle WebLogic Server 10.3.6.0
  - Oracle WebLogic Server 12.1.3.0
  - Oracle WebLogic Server 12.2.1.3

* According to Oracle's advisory, the affected version is described as
Java SE 8u182, but this version cannot be found in the release note.

    Oracle Corporation
    Release Notes for JDK 8 and JDK 8 Update Releases
    https://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

** Update: October 19, 2018 Update ***********************************
On October 17, 2018 (local time), Oracle updated the advisory and the
affected version was changed to "Java SE 8u181 and earlier".
**********************************************************************

However, since there are many other versions and products affected by
these vulnerabilities, please refer to the information provided by
Oracle for more details.

In addition, there are cases where Java JRE is pre-installed on the PC
or Weblogic is used in software products for servers. Please check if
any of the affected products is included in the PCs or servers that
you use.

According to Oracle, Java SE, Java SE JDK/JRE 6 and 7, which had
already ended Public Updates, are also affected by these vulnerabilities.


III. Solution
Oracle has released updates for each product.
For Java SE and Weblogic, the following versions have been released:

  - Java SE JDK/JRE 8 Update 191
  - Java SE JDK/JRE 11.0.1
  - Oracle Database Server 11.2.0.4 *
  - Oracle Database Server 12.1.0.2 *
  - Oracle Database Server 12.2.0.1 *
  - Oracle Database Server 18c      *
  - Oracle WebLogic Server 10.3.6.0 *
  - Oracle WebLogic Server 12.1.3.0 *
  - Oracle WebLogic Server 12.2.1.3 *

* Details of the updated versions are not available as of October 17th.
Please check with Oracle, etc. for the latest information.

Some applications that use affected products may not run properly
after updating the software to the latest version. Please update to
the latest version after considering any possible impacts to
applications that you may use.

    Java SE Downloads
    https://www.oracle.com/technetwork/java/javase/downloads/index.html

    Free Java Download
    https://java.com/en/download/

Users of 64-bit Windows may have 32-bit and/or 64-bit versions of
JDK/JRE installed. Please check the versions installed on your system
and apply the appropriate updates.

Users can check the version of Java that they are using at the page
below. If both 32-bit and 64-bit versions of Java are installed,
please check the versions installed, using a 32-bit and 64-bit browser
respectively. (In environments where Java is not installed, there may
be a request to install Java. If you do not require Java, please do
not install.)

    Verify Java Version
    https://www.java.com/en/download/installed.jsp


IV. References
    Oracle Corporation
    Oracle Critical Patch Update Advisory - October 2018
    https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

    Oracle Corporation
    Release Notes for JDK 8 and JDK 8 Update Releases
    https://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

    Oracle Corporation
    Java Development Kit 11 Release Notes
    https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html

    Oracle Corporation
    Oracle Critical Patch Update for October 2018
    https://blogs.oracle.com/portalsproactive/oracle-critical-patch-update-for-october-2018

    Oracle Corporation
    Oracle Java SE Support Roadmap
    https://www.oracle.com/technetwork/java/eol-135779.html

    US-CERT
    Oracle Releases October 2018 Security Bulletin
    https://www.us-cert.gov/ncas/current-activity/2018/10/16/Oracle-Releases-October-2018-Security-Bulletin


If you have any information regarding this alert, please contact
JPCERT/CC.

________
Revision History
2018-10-17 First edition
2018-10-19 Updated "II. Affected Products"

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/