JPCERT-AT-2021-0046 JPCERT/CC 2021-10-20 <<< JPCERT/CC Alert 2021-10-20 >>> Oracle Releases Critical Patch Update, October 2021 https://www.jpcert.or.jp/english/at/2021/at210046.html I. Overview On October 20, 2021 (US Time), Oracle released critical patch updates for multiple Oracle products. Oracle Critical Patch Update Advisory - October 2021 https://www.oracle.com/security-alerts/cpuoct2021.html A remote attacker may perform unauthorized operations or unauthorized deletion or falsification of sensitive information. Users of the affected products are recommended to update to the latest version appropriately. II. Affected Products Products affected by these vulnerabilities include: - Java SE JDK/JRE 17 - Java SE JDK/JRE 11.0.12 - Java SE JDK/JRE 8u301 - Java SE JDK/JRE 7u311 - Java SE Embedded 8u301 - Oracle Database Server 21c - Oracle Database Server 19c - Oracle Database Server 12.2.0.1 - Oracle Database Server 12.1.0.2 - Oracle WebLogic Server 14.1.1.0.0 - Oracle WebLogic Server 12.2.1.4.0 - Oracle WebLogic Server 12.2.1.3.0 - Oracle WebLogic Server 12.1.3.0.0 - Oracle WebLogic Server 10.3.6.0.0 However, since there are many other versions and products affected by these vulnerabilities, please refer to the information provided by Oracle for more details. In addition, there are cases where Java JRE is pre-installed on the PC or WebLogic is used in software products for servers. Please check if any of the affected products is included in the PCs or servers that you use. Oracle Corporation Oracle Java SE Support Roadmap https://www.oracle.com/technetwork/java/eol-135779.html III. Solution Oracle has released updates for each product. As for Java SE, the following versions have been released: - Java SE JDK/JRE 17.0.1 - Java SE JDK/JRE 11.0.12 - Java SE JDK/JRE 8u311 - Java SE JDK/JRE 7u321 - Java SE Embedded 8u311 * As for Oracle Database Server/Oracle WebLogic Server, details of the updated versions are not available as of October 20. Please check with Oracle, etc. for the latest information. Some applications that use affected products may not run properly after updating the software to the latest version. Please update to the latest version after considering any possible impacts to applications that you may use. Java Downloads https://www.oracle.com/java/technologies/javase-downloads.html Free Java Download https://java.com/en/download/ Users of 64-bit Windows may have 32-bit and/or 64-bit versions of JDK/JRE installed. Please check the versions installed on your system and apply the appropriate updates. Users can check the version of Java that they are using at the page below. If both 32-bit and 64-bit versions of Java are installed, please check the versions installed, using a 32-bit and 64-bit browser respectively. (In environments where Java is not installed, there may be a request to install Java. If you do not require Java, please do not install.) Verify Java and Find Out-of-Date Versions https://www.java.com/en/download/installed.jsp IV. References Oracle Corporation Listing of Java Development Kit 17 Release Notes https://www.oracle.com/java/technologies/javase/17u-relnotes.html Oracle Corporation Listing of Java Development Kit 11 Release Notes https://www.oracle.com/java/technologies/javase/11u-relnotes.html Oracle Corporation Java Development Kit 8 Update Release Notes https://www.oracle.com/java/technologies/javase/8u-relnotes.html Oracle Corporation Java SE 7 Advanced and Java SE 7 Support (formerly known as Java for Business 7) Release Notes https://www.oracle.com/java/technologies/javase/7-support-relnotes.html Oracle Corporation Oracle Java SE Embedded 8 Release Notes https://www.oracle.com/java/technologies/javase/embedded8-relnotes.html Oracle Corporation October 2021 Critical Patch Update Released https://blogs.oracle.com/security/post/oct2021-cpu-released Oracle Corporation Oracle Java SE Support Roadmap https://www.oracle.com/technetwork/java/eol-135779.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (Early Warning Group) MAIL: ew-info@jpcert.or.jp https://www.jpcert.or.jp/english/