July 2018 Oracle CPU Preview: Fewer Java SE patches may not mean fewer flaws

By July 16, 2018 October 25th, 2018 Blog, Patching

Q3 Oracle CPU Preview: The number of remotely executable flaws remains alarmingly high

The July 2018 Oracle CPU (Critical Patch Update) is expected to set a new two-year high for total Oracle product patches and a 12-month low for Java SE patches, based on Waratek’s review of a pre-release statement. The Q3 release could have as many as 334 total product patches, the highest in 11 quarters. Only eight Java SE patches are expected, representing a 75 percent drop from a 30-month high set in July 2017.

Other highlights of the pre-release include:

  • 100 percent of the Java SE vulnerabilities expected to be patched can be exploited remotely without user credentials.
  • The expected patches address flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. The highest vulnerability base score among the flaws is nine on a ten point scale.
  • The Oracle Database Server may also get three patches, including to the Java Virtual Machine. The highest CVSS base score is expected to be 9.8, and one of the flaws can be exploited without user credentials.

Oracle CPU VulnerabilitiesOn the surface, the downward trend of Java SE patches would appear to be positive. However, it may actually be more of a reflection of the adoption rates of Java SE 9 & 10 as the Java community continues to rely on older versions of Java.  With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java.

Oracle will release the final version of the July 2018 CPU mid-afternoon Pacific Daylight Time on Tuesday, 17 July.   Waratek will follow shortly with a release of functional equivalent virtual patches for the Java Se and other Java related Q3 CPU updates that require no downtime and no source code changes to fix the software flaws.



Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek