BEA JRockit Security Advisories Archive Page

This page contains references to Oracle JRockit security advisories released between August 2008 and April 2009. Oracle JRockit security advisories released prior to August 2008 are tracked at http://www.oracle.com/technology/deploy/security/beaarchive.html. April 2009 onwards, all BEA security advisories will be posted at http://www.oracle.com/technology/deploy/security/alerts.htm.

High Level Executive Summary for July 2008, October 2008, and January 2009 Security Advisories Update (Critical Patch Update) for BEA products is available at http://www.oracle.com/technology/deploy/security/alerts.htm. All Oracle Critical Patch Updates and Security Alerts are available at http://www.oracle.com/technology/deploy/security/alerts.htm.

As a policy, if there are any security vulnerability related issues with any BEA product, Oracle generally distributes an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security vulnerability related issues clearly and openly.

Starting with Oracle's July 2008 Critical Patch Update:

  1. Security advisory information for BEA products will comply with the policy described at http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html.
  2. Security advisories for BEA products will use CVSS for scoring vulnerabilities as described at http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm. Threat and Severity Model will not be used in security advisory information for BEA products.
  3. Security advisories for BEA products will use Common Vulnerabilities and Exposure (CVE) identifiers rather than the previously used numbering convention (Vuln#) in the security advisory documentation. More details are available at http://www.oracle.com/technology/deploy/security/cpu/cpufaq.htm.

The October 2008 CPU was the terminal Critical Patch Update for WebLogic Server/Express 6.1. As stated in the Oracle Lifetime Support policy, http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf, Extended Support for WebLogic Server/Express 6.1 was valid through November 2008.

Oracle has completed the acquisition of BEA and we are in the process of integrating BEA's operations. As a result of process changes, we expect former BEA customers to login to Oracle Support in order to download security advisory fixes.

Here is a summary of all Oracle JRockit security advisories released between August 2008 and April 2009:

Date Number * Title Type CVSS Rating ** Products Affected
2008-08-25 CVE-2008-3103 Security Vulnerability in Java Management Extensions (JMX) advisory 10.0 (High) JRockit R27.6.0 and earlier, JRE and JDK 5.0
JRockit R27.6.0 and earlier, JRE and JDK 6
2008-08-25 CVE-2008-3104 Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed advisory 6.8 (Medium) JRockit R27.6.0 and earlier, All JDKs and JREs
2008-08-25 CVE-2008-3105 Security Vulnerability in the Java Runtime Environment related to the processing of XML Data may result in information disclosure or denial of service advisory 7.1 (High) JRockit R27.6.0 and earlier, JDK and JRE 6
2008-08-25 CVE-2008-3106 Security Vulnerability in the Java Runtime Environment related to the processing of XML Data may result in information disclosure advisory 4.3 (Medium) JRockit R27.6.0 and earlier, JRE and JDK 5.0
JRockit R27.6.0 and earlier, JRE and JDK 6
2008-08-25 CVE-2008-3108 A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges advisory 10.0 (High) JRockit R27.6.0 and earlier, SDK and JRE 1.4.2
JRockit R27.1.0 and earlier, JDK and JRE 5.0
2008-08-25 CVE-2008-3109 Security Vulnerability in the Java Runtime Environment Scripting Language Support may allow elevation of privileges advisory 7.5 (High) JRockit R27.6.0 and earlier, JRE and JDK 6
2008-08-25 CVE-2008-3110 Security Vulnerability in the Java Runtime Environment Scripting Language Support may allow information disclosure advisory 4.3 (Medium) JRockit R27.6.0 and earlier, JRE and JDK 6

* Number: Security advisories will use Common Vulnerabilities and Exposure (CVE) identifiers rather than the previously used numbering convention (Vuln#) in the security advisory documentation. More details are available at http://www.oracle.com/technology/deploy/security/cpu/cpufaq.htm

** CVSS Rating: Common Vulnerability Scoring System (CVSS) is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. Complete CVSS Guide is available at http://www.first.org/cvss/cvss-guide.html and online calculator is available at http://nvd.nist.gov/cvss.cfm?calculator&version=2