Communities
|
Social Applications
Networks
Knowledge Base
Support
|
|
C-Level Executives
Other Roles
|
|
Support
Education
Partner
Other Tasks
|
Topics
Security
Critical Patch Updates, Security Alerts and Third Party Bulletin
This page lists security patches, in the form of Critical Patch Updates (CPUs), Security Alerts and Third Party Bulletin updates, that Oracle has released. The page is updated when new Critical Patch Updates and Security Alerts are released, and it is possible to receive notification of releases by email.
Click here for instructions on how to configure email notifications.
Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"
This page contains the following sections:
Critical Patch Updates
Security Alerts
Third Party Bulletin
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References
Critical Patch Updates
Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 17 April 2012
- 17 July 2012
- 16 October 2012
- 15 January 2013
For Oracle Java SE Critical Patch Updates, the next three dates are:
- 14 February 2012
- 12 June 2012
- 16 October 2012
A pre-release announcement will be published on the Thursday preceding each CPU release.
The Critical Patch Updates released to date are listed in the following table.
The following table includes Critical Patch Updates for Oracle Java SE.
| Java SE Critical Patch Update | Latest Version/Date |
|---|---|
| Java SE Critical Patch Update - October 2011 | Rev 1, 18 October 2011 |
| Java SE Critical Patch Update - June 2011 | Rev 1, 07 June 2011 |
| Java SE and Java for Business Critical Patch Update - February 2011 | Rev 1, 15 February 2011 |
| Java SE and Java for Business Critical Patch Update - October 2010 | Rev 1, 12 October 2010 |
| Java SE and Java for Business Critical Patch Update - March 2010 | Rev 3, 08 April 2010 |
Security Alerts
Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table.Click here for Security Alerts released before 2006. Security Advisories Notifications prior to July 2008 for BEA products are located here. Security Sun Alert notifications prior to April 2010 for Sun products are located here.
| Security Alert Number And Description | Latest Version/Date |
|---|---|
| Alert for CVE-2011-5035 | Rev 1, 31 January 2012 |
| Alert for CVE-2011-3192 | Rev 1, 15 September 2011 |
| Alert for CVE-2010-4476 | Rev 1, 08 February 2011 |
| Alert for CVE-2010-0886 | Rev 2, 18 May 2010 |
| Alert for CVE-2010-0073 | Rev 1, 04 February 2010 |
| Alert for CVE-2008-3257 | Rev 3, 05 March 2009 |
Third Party Bulletin
Oracle has no control over the timing and content of security fixes created by third parties. Consequently, the Third Party Bulletin, rather than Oracle Critical Patch Update Advisories and Security Alerts has been used by Oracle as a mechanism to announce security fixes for third party software distributed with Oracle Sun products for over a year. Starting from January 2012, the Third Party Bulletin will also be used to announce security fixes for third party software that are distributed with non-Sun Oracle products.
The Third Party Patch Map lists all security patches announced for third party software organized by Oracle products. The current list of all Oracle products that use the Third Party Bulletin is as follows:
- Hardware Systems
- Oracle Glassfish
- Oracle Secure Global Desktop
- Solaris
- Sun Java System Access Manager
- Sun Java System Application Server
- Sun Ray
Public Vulnerabilities Fixed
The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert.
Policy Statement on Information Provided in Critical Patch Updates and Security Alerts
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the severity of the CPU or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.
As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.
Oracle's policy and process for fixing security vulnerabilities explains the security vulnerability fixing lifecycle, including the correlation between Critical Patch Updates, patch sets and new releases.
My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products.
Reporting Security Vulnerabilities
Refer to the guidelines on Oracle Software Security Assurance web site for reporting security vulnerabilities.
References
Printer View