Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

I don't know if I have to apply Java SE Critical Patch

Hello,
Today Oracle has announced an Oracle Java SE Critical Patch Update Advisory - October 2011.

Source: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

I asked this question at the OTN forum, but I got no response.

We have a Linux web server with a Java web app that connects to Oracle database. We don't develop in Java, we just have this web app.

I don't  know if we have to apply this patch. I understand that this patch is applied for JDK and JRE.

Java that I have installed at my Linux server is:

2000:jdk-1.6.0_06-fcs.i586
java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.i386

Should I apply the patch? Need more information?
0
miyahira
Asked:
miyahira
  • 9
  • 6
  • 3
3 Solutions
 
CEHJCommented:
What distro is the server running?
0
 
miyahiraAuthor Commented:
You mean Linux distro?
0
 
miyahiraAuthor Commented:
Red Hat 5 Enterprise Edition
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
for_yanCommented:

No one knows that, as they do not disclose:

 As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Document, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or “proof-of-concept” code for product vulnerabilities.

If you have very critical stuff, and your server can be accessed from outside your company firewall
you probably must do it. If It is inside the firewall and no one outside of your company knows about the server,
if you are not inclined to be of a too pessimistic type, then you probably can skip it.
Of course it is more of a matter of your life philosophy.
0
 
CEHJCommented:
You should use your package manager when a new rpm is available
0
 
miyahiraAuthor Commented:
Sorry, I don't understand your answers.

According to Oracle page, Java versions affected are basically: JDK and JRE 7, 6.

Problem is that I don't know what Java is installed in my Linux server. JDK and JRE?

Or should I just download this patch for Linux, install it and see what happen?
0
 
for_yanCommented:

No , they are all affected and both JDK;s and JRE's - so don't worry about it:

It covers all java that ever existed:

Java SE Patch Availability
 
JDK and JRE 7 Java SE
JDK and JRE 6 Update 27 and earlier Java SE
JDK and JRE 5.0 Update 31 and earlier Java SE
SDK and JRE 1.4.2_33 and earlier Java SE
JavaFX 2.0 JavaFX
JRockit R28.1.4 and earlier (JDK and JRE 6 and 5.0) JRockit


0
 
for_yanCommented:
In general if you go to your serevr and type
 java -version
it will tell you

but this is irrelevent for the purpose of patching
because they write that all possible java is affected
0
 
miyahiraAuthor Commented:
What I know about Java software installed on my Red Hat 5 Enterprise Linux server is:

2000:jdk-1.6.0_06-fcs.i586
java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.i386

Should I install that patch?
0
 
for_yanCommented:
If Java was installed ion your machine by RedHat  (tiogether with the system) - contact RedHat and ask them
0
 
for_yanCommented:
Most probably, they will say that you should install it, beacuse
I believe RedHat don't develop thier own Java - they maybe modify it a bit and package in their own distribution, but they start from
Sun/Oracle release
0
 
for_yanCommented:
Still run
 java -version
and post what it reports
0
 
for_yanCommented:
CEHJ,
does this link say anything about these today's Orcale patches?
0
 
miyahiraAuthor Commented:
java –version


java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
0
 
for_yanCommented:
Yes, you need to apply this patch - this is standard java from Sun/Oracle.
Still, if you have access to RedHat support I'd first consult with them.
0
 
miyahiraAuthor Commented:
Thanks for_yan. Just one more question:
On server, there's no JDK installed, only JRE, right?
0
 
for_yanCommented:
Usually it is this way, but you cannot know, someone could have installed JDK there
You can go to java home /bin foder and check is they have javac executable there
if it is JRE you'll not have javac excutable, as this is a compiler - not needed for JRE

But I guess these pathes are not about JDK - they are of course in JRE
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 9
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now