JPCERT-AT-2021-0046
JPCERT/CC
2021-10-20
Oracle Critical Patch Update Advisory - October 2021
https://www.oracle.com/security-alerts/cpuoct2021.html
A remote attacker may perform unauthorized operations or unauthorized deletion or falsification of sensitive information. Users of the affected products are recommended to update to the latest version appropriately.
- Java SE JDK/JRE 17
- Java SE JDK/JRE 11.0.12
- Java SE JDK/JRE 8u301
- Java SE JDK/JRE 7u311
- Java SE Embedded 8u301
- Oracle Database Server 21c
- Oracle Database Server 19c
- Oracle Database Server 12.2.0.1
- Oracle Database Server 12.1.0.2
- Oracle WebLogic Server 14.1.1.0.0
- Oracle WebLogic Server 12.2.1.4.0
- Oracle WebLogic Server 12.2.1.3.0
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 10.3.6.0.0
However, since there are many other versions and products affected by these vulnerabilities, please refer to the information provided by Oracle for more details.
In addition, there are cases where Java JRE is pre-installed on the PC or WebLogic is used in software products for servers. Please check if any of the affected products is included in the PCs or servers that you use.
Oracle Corporation
Oracle Java SE Support Roadmap
https://www.oracle.com/technetwork/java/eol-135779.html
- Java SE JDK/JRE 17.0.1
- Java SE JDK/JRE 11.0.12
- Java SE JDK/JRE 8u311
- Java SE JDK/JRE 7u321
- Java SE Embedded 8u311
* As for Oracle Database Server/Oracle WebLogic Server, details of the updated versions are not available as of October 20. Please check with Oracle, etc. for the latest information.
Some applications that use affected products may not run properly after updating the software to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use.
Java Downloads
https://www.oracle.com/java/technologies/javase-downloads.html
Free Java Download
https://java.com/en/download/
Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates.
Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed,please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.)
Verify Java and Find Out-of-Date Versions
https://www.java.com/en/download/installed.jsp
Oracle Corporation
Listing of Java Development Kit 17 Release Notes
https://www.oracle.com/java/technologies/javase/17u-relnotes.html
Oracle Corporation
Listing of Java Development Kit 11 Release Notes
https://www.oracle.com/java/technologies/javase/11u-relnotes.html
Oracle Corporation
Java Development Kit 8 Update Release Notes
https://www.oracle.com/java/technologies/javase/8u-relnotes.html
Oracle Corporation
Java SE 7 Advanced and Java SE 7 Support (formerly known as Java for Business 7) Release Notes
https://www.oracle.com/java/technologies/javase/7-support-relnotes.html
Oracle Corporation
Oracle Java SE Embedded 8 Release Notes
https://www.oracle.com/java/technologies/javase/embedded8-relnotes.html
Oracle Corporation
October 2021 Critical Patch Update Released
https://blogs.oracle.com/security/post/oct2021-cpu-released
Oracle Corporation
Oracle Java SE Support Roadmap
https://www.oracle.com/technetwork/java/eol-135779.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2021-10-20
I. Overview
On October 20, 2021 (US Time), Oracle released critical patch updates for multiple Oracle products.Oracle Critical Patch Update Advisory - October 2021
https://www.oracle.com/security-alerts/cpuoct2021.html
A remote attacker may perform unauthorized operations or unauthorized deletion or falsification of sensitive information. Users of the affected products are recommended to update to the latest version appropriately.
II. Affected Products
Products affected by these vulnerabilities include:- Java SE JDK/JRE 17
- Java SE JDK/JRE 11.0.12
- Java SE JDK/JRE 8u301
- Java SE JDK/JRE 7u311
- Java SE Embedded 8u301
- Oracle Database Server 21c
- Oracle Database Server 19c
- Oracle Database Server 12.2.0.1
- Oracle Database Server 12.1.0.2
- Oracle WebLogic Server 14.1.1.0.0
- Oracle WebLogic Server 12.2.1.4.0
- Oracle WebLogic Server 12.2.1.3.0
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 10.3.6.0.0
However, since there are many other versions and products affected by these vulnerabilities, please refer to the information provided by Oracle for more details.
In addition, there are cases where Java JRE is pre-installed on the PC or WebLogic is used in software products for servers. Please check if any of the affected products is included in the PCs or servers that you use.
Oracle Corporation
Oracle Java SE Support Roadmap
https://www.oracle.com/technetwork/java/eol-135779.html
III. Solution
Oracle has released updates for each product. As for Java SE, the following versions have been released:- Java SE JDK/JRE 17.0.1
- Java SE JDK/JRE 11.0.12
- Java SE JDK/JRE 8u311
- Java SE JDK/JRE 7u321
- Java SE Embedded 8u311
* As for Oracle Database Server/Oracle WebLogic Server, details of the updated versions are not available as of October 20. Please check with Oracle, etc. for the latest information.
Some applications that use affected products may not run properly after updating the software to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use.
Java Downloads
https://www.oracle.com/java/technologies/javase-downloads.html
Free Java Download
https://java.com/en/download/
Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates.
Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed,please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.)
Verify Java and Find Out-of-Date Versions
https://www.java.com/en/download/installed.jsp
IV. References
Oracle Corporation
Listing of Java Development Kit 17 Release Notes
https://www.oracle.com/java/technologies/javase/17u-relnotes.html
Oracle Corporation
Listing of Java Development Kit 11 Release Notes
https://www.oracle.com/java/technologies/javase/11u-relnotes.html
Oracle Corporation
Java Development Kit 8 Update Release Notes
https://www.oracle.com/java/technologies/javase/8u-relnotes.html
Oracle Corporation
Java SE 7 Advanced and Java SE 7 Support (formerly known as Java for Business 7) Release Notes
https://www.oracle.com/java/technologies/javase/7-support-relnotes.html
Oracle Corporation
Oracle Java SE Embedded 8 Release Notes
https://www.oracle.com/java/technologies/javase/embedded8-relnotes.html
Oracle Corporation
October 2021 Critical Patch Update Released
https://blogs.oracle.com/security/post/oct2021-cpu-released
Oracle Corporation
Oracle Java SE Support Roadmap
https://www.oracle.com/technetwork/java/eol-135779.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/