4

Looking at the Oracle security advisory page here: https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Oracle in 2016 disclosed vulnerabilites in their OJDBC7 versions 12.1.0.1 and 12.1.0.2.

However looking for the most recent versions of OJDBC they are still offering both 12.1.0.1 and 12.1.0.2 as their most up to date versions.

https://www.oracle.com/database/technologies/jdbc-drivers-12c-downloads.html

https://www.oracle.com/database/technologies/jdbc-upc-downloads.html

Am I missing something about the way that Oracle does their "patching" and they fix the vulnerable version and then release it as the same version, or have they actually not fixed this vulnerability?

Trevor
  • 41
  • 1

1 Answers1

0

I don't know the answer, but my guess is that they've updated the driver in the code that they ship with their products, but not in the downloads. If you have Oracle support I suggest you contact them about getting an up-to-date driver.

Swashbuckler
  • 2,115
  • 8
  • 9
  • Is there a reason that they do that, is it not bad practice to continue having the vulnerable components to be downloaded when there is a "patched" version – Trevor Oct 03 '19 at 18:10
  • If that's what happened it's very bad practice, but keeping up with vulnerabilities is a lot of work and it could be this slipped through the cracks. That's why I suggested contacting Support. They should be able to tell you if this is the case or not and if it is they can get it corrected. – Swashbuckler Oct 04 '19 at 19:16