RE: CPU - January 2017

It is the same only different. You will notice there is a view DBA_JAVA_CLASSES – you can store java objects and run them in the database like PL/SQL packages and procedures. Having a JVM in the database allows them to be more performant when being called by and accessing database resources.

Because of this it has to be patched the same as the java on the server. Like java on the server, it is a question of whether someone can pass data to a program that allows them to exploit a bug. This could be done e.g. via SQL injection. Oracle don’t give details on how to exploit the bugs, so it is difficult to perform a risk assessment on the impact of not installing the patches. We pretty much have to install them.

If your application doesn’t use java it is worth not having it in the database. Saves a lot of headaches.

Hope this helps!

Paul Houghton

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of David Ramírez Reyes Sent: 25 January 2017 15:05
To: 'oracle-l_at_freelists.org' (oracle-l_at_freelists.org) Subject: CPU - January 2017

Hello everyone,

As you may know, the CPU of January was released with a some items related to the DB; my question is, what about the OJVM component that comes as the first asset of the list?; I mean, I know the Virtual Machine is used by the DB, but is this the same as the one installed on the server (we're running on RHEL)?, is it a risk if our DB server is on an internal network segment that is not exposed to the web?

Basically, not sure what's the difference between the JVM of the DB and the OS, or of it's the same or how it works, any help will be appreciated.

Regards

David Ramírez Reyes
Profesión: Padre de Familia y DBA en mis ratos libres Profession: Parent and DBA in my spare time

--
http://www.freelists.org/webpage/oracle-l