Oracle April 2018 CPU: Most Java flaws can be remotely exploited

By April 18, 2018 Alerts

Half of the Java patches relate to Deserialization Flaws.

Customer Alert 20180418

Oracle Critical Patch Update April 2018 Released

Summary

This Critical Patch Update patches 15 Java-related vulnerabilities including one flaw identified by Waratek.  The number of Java SE patches in the Q2 CPU dropped by 1/3rd from 21 to 14, but the percentage of flaws that do not require authentication to be exploited remains the same as Q1  – 86%. The highest CVSS Score of the Java SE vulnerabilities is 8.3.

Other highlights of the release include:

  • New security fixes for the widely used Oracle Database Server only involve the Java Virtual Machine.  The vulnerability patched has a CVSS Base Score of 8.5 on a 10 point scale, but is not remotely exploitable.
  • Out of the Java SE 14 fixes, seven are fixes for Java deserialization vulnerabilities.
  • The Q2 CPU introduces a new built-in serialization filter for the JCE KeyStore. This new filter continues the tradition of built-in serialization filters of the JEP-290 Serialization Filtering mechanism that was first introduced in January 2017. The new built-in filter, named JCEKS Encrypted Key Serial Filter, restricts the expected types of the SecretKey to a set of predefined types. Note that because this new filter is enabled by default, Java SE users must profile their applications and make sure that the new built-in filter does not break their existing, legitimate functionality, before they deploy this new Java SE release in production. Users storing a SecretKey that does not serialize to the expected/default types must modify the filter to allow the key to be deserialized.
  • One half of the identified vulnerabilities affect the confidentiality of the Java Virtual Machine and almost 80% affect the availability of the JVM.

Two critical vulnerabilities affect only the newly released Java 10, but there are no critical patch updates for Java 9 – released in September 2017 – which has been replaced by the March 2018 release of Java 10.  Java 9 users must now upgrade to Java 10 to utilize public critical patch updates from Oracle.  Java 11 is due later this year.

Oracle CPU April 2018Waratek Advice

Waratek Customers: Waratek will publish functional equivalent virtual patches based on the CPU for customers to apply without source code changes and without taking a vulnerable application out of production.

Non Waratek Customers: This CPU introduces a new built-in serialization filter for the JCE KeyStore. This new filter continues the tradition of built-in serialization filters of the JEP-290 Serialization Filtering mechanism that was first introduced in January 2017. The new built-in filter, named as JCEKS Encrypted Key Serial Filter, restricts the expected types of the SecretKey to a set of predefined types. Note that because this new filter is enabled by default. Therefore, Java SE users must profile their applications and make sure that the new built-in filter does not break their existing, legitimate functionality, before they deploy this new Java SE release in production. Users storing a SecretKey that does not serialize to the expected/default types must modify the filter to allow the key to be deserialized.

For more information please contact your Waratek representative or contact us by email to schedule a demonstration or free trial.


John Matthew Holt, Waratek’s Founder and Chief Technology Officer and Apostolos Giannakidis, Waratek’s Lead Security Architect contributed to this Alert. 

print
News

Author News

More posts by News
X