Q3 Oracle CPU Preview: The number of remotely executable flaws remains alarmingly high
The July 2018 Oracle CPU (Critical Patch Update) is expected to set a new two-year high for total Oracle product patches and a 12-month low for Java SE patches, based on Waratek’s review of a pre-release statement. The Q3 release could have as many as 334 total product patches, the highest in 11 quarters. Only eight Java SE patches are expected, representing a 75 percent drop from a 30-month high set in July 2017.
Other highlights of the pre-release include:
- 100 percent of the Java SE vulnerabilities expected to be patched can be exploited remotely without user credentials.
- The expected patches address flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. The highest vulnerability base score among the flaws is nine on a ten point scale.
- The Oracle Database Server may also get three patches, including to the Java Virtual Machine. The highest CVSS base score is expected to be 9.8, and one of the flaws can be exploited without user credentials.
On the surface, the downward trend of Java SE patches would appear to be positive. However, it may actually be more of a reflection of the adoption rates of Java SE 9 & 10 as the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java.
Oracle will release the final version of the July 2018 CPU mid-afternoon Pacific Daylight Time on Tuesday, 17 July. Waratek will follow shortly with a release of functional equivalent virtual patches for the Java Se and other Java related Q3 CPU updates that require no downtime and no source code changes to fix the software flaws.