Critical Patch Updates, Security Alerts and Third Party Bulletin

This page lists announcements of security fixes made in Critical Patch Update Advisories and Security Alerts, and it is updated when new Critical Patch Update Advisories and Security Alerts are released. It is possible to receive notification of new announcements by email, as explained in the page linked below. Security fixes in third party products distributed with Oracle products are announced in the Third Party Bulletin, whose purpose and location is explained below.

Click here for instructions on how to configure email notifications.
Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices".

This page contains the following sections:

Critical Patch Updates
Security Alerts
Third Party Bulletin
Oracle Linux Bulletin
Oracle VM Server for x86 Bulletin
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References

Critical Patch Updates

Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

18 April 2017
18 July 2017
17 October 2017
16 January 2018

Starting with the October 2013 Critical Patch Update, security fixes for Java SE are released under the normal Critical Patch Update schedule.

A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.

The Critical Patch Updates released to date are listed in the following table.

Critical Patch Update	Latest Version/Date
Critical Patch Update - January 2017	Rev 2, 18 January 2017
Critical Patch Update - October 2016	Rev 4, 21 November 2016
Critical Patch Update - July 2016	Rev 2, 18 October 2016
Critical Patch Update - April 2016	Rev 3, 20 December 2016
Critical Patch Update - January 2016	Rev 2, 12 February 2016
Critical Patch Update - October 2015	Rev 6, 27 October 2015
Critical Patch Update - July 2015	Rev 4, 30 July 2015
Critical Patch Update - April 2015	Rev 3, 28 April 2015
Critical Patch Update - January 2015	Rev 2, 10 March 2015
Critical Patch Update - October 2014	Rev 5, 21 November 2014
Critical Patch Update - July 2014	Rev 2, 24 July 2014
Critical Patch Update - April 2014	Rev 2, 28 April 2014
Critical Patch Update - January 2014	Rev 1, 14 January 2014
Critical Patch Update - October 2013	Rev 5, 24 February 2015
Critical Patch Update - July 2013	Rev 4, 11 September 2013
Critical Patch Update - April 2013	Rev 1, 16 April 2013
Critical Patch Update - January 2013	Rev 2, 17 January 2013
Critical Patch Update - October 2012	Rev 1, 16 October 2012
Critical Patch Update - July 2012	Rev 1, 17 July 2012
Critical Patch Update - April 2012	Rev 2, 19 July 2012
Critical Patch Update - January 2012	Rev 3, 23 January 2012
Critical Patch Update - October 2011	Rev 3, 20 October 2011
Critical Patch Update - July 2011	Rev 7, 15 December 2011
Critical Patch Update - April 2011	Rev 5, 12 May 2011
Critical Patch Update - January 2011	Rev 3, 1 February 2011
Critical Patch Update - October 2010	Rev 1, 12 October 2010
Critical Patch Update - July 2010	Rev 1, 13 July 2010
Critical Patch Update - April 2010	Rev 1, 13 April 2010
Critical Patch Update - January 2010	Rev 2, 04 February 2010
Critical Patch Update - October 2009	Rev 1, 20 October 2009
Critical Patch Update - July 2009	Rev 3, 03 September 2009
Critical Patch Update - April 2009	Rev 4, 03 September 2009
Critical Patch Update - January 2009	Rev 4, 03 September 2009
Critical Patch Update - October 2008	Rev 3, 03 September 2009
Critical Patch Update - July 2008	Rev 3, 05 March 2009
Critical Patch Update - April 2008	Rev 4, 22 May 2008
Critical Patch Update - January 2008	Rev 1, 15 January 2008
Critical Patch Update - October 2007	Rev 1, 16 October 2007
Critical Patch Update - July 2007	Rev 2, 19 July 2007
Critical Patch Update - April 2007	Rev 2, 18 April 2007
Critical Patch Update - January 2007	Rev 2, 05 March 2007
Critical Patch Update - October 2006	Rev 4, 06 March 2006
Critical Patch Update - July 2006	Rev 1, 18 July 2006
Critical Patch Update - April 2006	Rev 1, 18 April 2006
Critical Patch Update - January 2006	Rev 1, 17 January 2006
Critical Patch Update - October 2005	Rev 2, 19 December 2005
Critical Patch Update - July 2005	Rev 1, 12 July 2005
Critical Patch Update - April 2005	Rev 2, 13 April 2005
Critical Patch Update - January 2005	Rev 2, 15 March 2005

The following table includes Critical Patch Updates for Oracle Java SE.

Java SE Critical Patch Update	Latest Version/Date
Java SE Critical Patch Update - June 2013	Rev 1, 18 June 2013
Java SE Critical Patch Update - April 2013	Rev 1, 16 April 2013
Java SE Critical Patch Update - February 2013 - Special Update	Rev 1, 19 February 2013
Java SE Critical Patch Update - February 2013	Rev 2, 07 February 2013
Java SE Critical Patch Update - October 2012	Rev 1, 16 October 2012
Java SE Critical Patch Update - June 2012	Rev 1, 12 June 2012
Java SE Critical Patch Update - February 2012	Rev 3, 17 May 2012
Java SE Critical Patch Update - October 2011	Rev 1, 18 October 2011
Java SE Critical Patch Update - June 2011	Rev 1, 07 June 2011
Java SE and Java for Business Critical Patch Update - February 2011	Rev 1, 15 February 2011
Java SE and Java for Business Critical Patch Update - October 2010	Rev 1, 12 October 2010
Java SE and Java for Business Critical Patch Update - March 2010	Rev 3, 08 April 2010

Security Alerts

Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table. Click here for Security Alerts released before 2006. Security Advisory Notifications prior to July 2008 for BEA products are located here. Security Sun Alert notifications prior to April 2010 for Sun products are located here.

Security Alert Number And Description	Latest Version/Date
Alert for CVE-2016-0636	Rev 1, 23 March 2016
Alert for CVE-2016-0603	Rev 1, 05 February 2016
Alert for CVE-2015-4852	Rev 2, 12 November 2015
Alert for CVE-2015-3456 QEMU "Venom"	Rev 1, 15 May 2015
Alert for CVE-2014-7169 Bash "Shellshock"	Rev 5, 30 September 2014
Alert for CVE-2014-0160 OpenSSL "Heartbleed"	Rev 1, 18 April 2014
Alert for CVE-2013-1493	Rev 1, 04 March 2013
Alert for CVE-2013-0422	Rev 1, 13 January 2013
Alert for CVE-2012-4681	Rev 1, 30 August 2012
Alert for CVE-2012-3132	Rev 1, 10 August 2012
Alert for CVE-2012-1675	Rev 3, 20 June 2014
Alert for CVE-2011-5035	Rev 2, 29 March 2012
Alert for CVE-2011-3192	Rev 1, 15 September 2011
Alert for CVE-2010-4476	Rev 1, 08 February 2011
Alert for CVE-2010-0886	Rev 2, 18 May 2010
Alert for CVE-2010-0073	Rev 1, 04 February 2010
Alert for CVE-2008-3257	Rev 3, 05 March 2009

Third Party Bulletin

Oracle has no control over the timing and content of security fixes created by third parties. As a result, the Third Party Bulletin, rather than Oracle Critical Patch Update and Security Alerts Advisories, was used by Oracle since April 2010 as the mechanism to announce security fixes for third party software distributed with Oracle Solaris.

Starting January 20, 2015, Third Party Bulletins will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled publication date.

Third Party Bulletin	Latest Version/Date
Solaris Third Party Bulletin - January 2017	Rev 2, 26 January 2017
Solaris Third Party Bulletin - October 2016	Rev 5, 11 January 2017
Solaris Third Party Bulletin - July 2016	Rev 4, 28 September 2016
Solaris Third Party Bulletin - April 2016	Rev 7, 21 September 2016
Solaris Third Party Bulletin - January 2016	Rev 5, 12 April 2016
Solaris Third Party Bulletin - October 2015	Rev 5, 14 January 2016
Solaris Third Party Bulletin - July 2015	Rev 6, 15 September 2015
Solaris Third Party Bulletin - April 2015	Rev 3, 15 June 2015
Solaris Third Party Bulletin - January 2015	Rev 5, 01 April 2015

For Third Party Bulletins published prior to January 20, 2015 please see the Third Party Vulnerability Resolution Blog.

Oracle Linux Bulletin

Oracle releases security advisories for Oracle Linux as patches become available. Security advisories (ELSA) are published at https://linux.oracle.com/security/.

Starting October 20, 2015, Oracle will also publish Oracle Linux Bulletins which list all CVEs that had been resolved and announced in Oracle Linux Security Advisories in the last one month prior to the release of the bulletin. The Oracle Linux Bulletin will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Oracle Linux Bulletin	Latest Version/Date
Oracle Linux Bulletin - January 2017	Rev 1, 17 January 2017
Oracle Linux Bulletin - October 2016	Rev 3, 19 December 2016
Oracle Linux Bulletin - July 2016	Rev 3, 19 September 2016
Oracle Linux Bulletin - April 2016	Rev 3, 20 June 2016
Oracle Linux Bulletin - January 2016	Rev 3, 21 March 2016
Oracle Linux Bulletin - October 2015	Rev 3, 21 December 2015

Oracle VM Server for x86 Bulletin

Oracle releases security advisories for Oracle VM Server for x86 as patches become available. Security advisories (OVMSA) are published at https://linux.oracle.com/errata/.

Starting July 19, 2016, Oracle will also publish Oracle VM Server for x86 Bulletins which will list all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories in the last one month prior to the release of the bulletin. The Oracle VM Server for x86 Bulletin will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Oracle VM Server for x86 Bulletin	Latest Version/Date
Oracle VM Server for x86 Bulletin - January 2017	Rev 1, 17 January 2017
Oracle VM Server for x86 Bulletin - October 2016	Rev 3, 19 December 2016
Oracle VM Server for x86 Bulletin - July 2016	Rev 3, 19 September 2016

Public Vulnerabilities Fixed

The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert. The Map of Public Vulnerability to Solaris Third Party Bulletin indicates which public vulnerabilities are fixed in each Solaris Third Party Bulletin.

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update or a Security Alert. The results of the security analysis are reflected in the Critical Patch Update or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on Critical Patch Update or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.

Oracle's policy and process for fixing security vulnerabilities explains the security vulnerability fixing lifecycle, including the correlation between Critical Patch Updates, patch sets and new releases.

Reporting Security Vulnerabilities

Refer to the guidelines on Oracle Software Security Assurance web site for reporting security vulnerabilities.

References

Oracle Software Security Assurance web site

E-mail this page

Printer View

Oracle Cloud

Java

Customers and Events

Email Subscriptions

Subscription Center

Communities

Services and Store

Log In to My Oracle Support
Training and Certification
Become a Partner
Find a Partner Solution
Purchase from the Oracle Store
Source Code for Open Source Software
Contact and Chat
US Sales: +1.800.633.0738
Global Contacts
Oracle Support
Partner Support

Products

Solutions

Downloads

Store

Support

Training

Partners

About

OTN