Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Java and Oracle Database CVE's

Oleh LeontOct 28 2021

Hello.
Hope Oracle team will help me with a few questions about Oracle Database/Oracle Database Client and Java inside it, because i need it official.
As I understand Java is a component in Oracle Database/Oracle Database software.
We have Oracle Database Client 19c installed and separately installed Java 8_275 on the host. Then we identified that on the location of Oracle Database Client 19c (/u01/app/oracle/product/19.0.0/client_1/jdk/bin/java) Java version is 8_201 and it's likely vilnerable to such CVE's:
CVE-2020-14664
CVE-2020-14583
CVE-2020-14593
CVE-2020-14562
CVE-2020-14621
CVE-2020-14556
CVE-2020-14573
CVE-2020-14581
CVE-2020-14578
CVE-2020-14579
CVE-2020-14577
In my opinion if the component is vulnerable then the software is vulnerable and the host is vulnerable too.
But by the official article (https://www.oracle.com/security-alerts/cpujul2020.html)) only Java itself is vulnerable to this CVE's.
So the main question - is the Java inside Oracle Database or Oracle Database Client vulnerable to listed CVE's and is the host vulnerable to listed CVE's?

Added on Oct 28 2021

#database-security, #database-security-general

0 comments

237 views