Java-powered WebLogic and GlassFish application platforms need to upgrade their application stack urgently

By October 19, 2016 November 6th, 2018 Blog, Technical

This quarter’s Oracle CPU includes seven important security updates affecting every version of Java Platform 6, 7, and 8, and eight critical security updates for Oracle’s Java-powered WebLogic and GlassFish application platforms.

Nearly all of the disclosed vulnerabilities are remotely exploitable without authentication, meaning that any application running on the current or earlier versions of these Java products are or may be susceptible to remote attacks and exploitation.

In particular, two of the Java Platform vulnerabilities effect the JMX (Java Management Extensions) and Networking APIs built into the Java Platform. These two APIs are present and loaded in all but the most trivial Java applications, meaning owners or operators of business critical Java applications are executing their applications with known-flawed APIs and should prioritise patching their Java Platforms as quickly as possible.

In addition, Java-powered WebLogic applications are seriously impacted by today’s security updates. Altogether there are 5 different vulnerabilities which are remotely exploitable over HTTP and HTTPS protocols without authentication, and effect WebLogic versions 10 and 12. Remote exploits over HTTP/HTTPS protocols are perhaps the most worrying of all exploits due to the ubiquity of HTTP/HTTPS access to Java-powered applications. Furthermore, as these are nearly all high-CVSS vulnerabilities, a successful exploit will not only commandeer control of the vulnerable application stack but also expose confidential application data. Customers running critical business applications on Java-powered WebLogic and GlassFish application platforms need to upgrade their application stack urgently to safeguard the security of their application and the confidentiality of their business data.

This quarter’s CPU update is by no means out of the ordinary compared to previous quarters. Every 90 days a ‘grab bag’ of high-severity vulnerabilities are identified and patched in the Java software platforms operated by thousands of enterprises around the world. There is a rapid adoption in the industry of virtual-patching solutions that can be provide instant remediation of routine and out-of-band security updates without requiring any re-installations, re-deployments or application restarts. Owners and operators of Java-powered applications should urgently evaluate these new breed of virtual-patching solutions that can eliminate the cost and effort to achieve compliance with these quarterly CPU updates.


AUTHOR:

John Matthew Holt

John Matthew Holt, Founder and CTO

John Matthew Holt is the inventive inspiration and technical driving force behind Waratek’s groundbreaking research and development into distributed computing and virtualization technologies, which has led to the granting of over 50 patents to date with many more pending.

As CTO, John Matthew leads a multinational team of expert computer engineers on a journey that has resulted in the creation of a disruptive new approach to web security that allows organisations to protect their Java applications and data from SQL Injection, targeted attacks and unpatched vulnerabilities at runtime, without making any code changes or deploying any hardware.

John Matthew Holt

Author John Matthew Holt

John Matthew Holt is CTO and Founder of Waratek. He is the inventive inspiration and technical driving force behind Waratek’s groundbreaking research and development into distributed computing and virtualization technologies, which has led to the granting of over 50 patents to date with many more pending.

More posts by John Matthew Holt

Leave a Reply

X