This is concerning because it reveals that the security of Java’s APIs is not significantly improving.
This quarter’s CPU update from Oracle addresses 25 new vulnerabilities across all JRE versions 6, 7, and 8. Most seriously, 23 of the 25 fixed vulnerabilities are remotely exploitable without authentication. These are very serious and cover the maximum severity score of CVSS 10.0 – in other words, as bad as it gets:
Of the 25 CVEs fixed in this patch, 24 of them (96%) affect Java SE 8 which is the latest and most up-to-date Java version. This reveals that the security of Java’s APIs has not significantly improved over time. This is something of a paradox, since at Java’s inception is was specifically promoted as being a secure computing platform. Also, enterprise Java customers need to remember that Java SE 7 is no longer being provided with public security updates. So Enterprises running Java SE 7 applications – which is virtually every large enterprise today – cannot automatically download and apply these important security fixes.
Meanwhile, the Java Platform is in the midst of a general renaissance. Since Oracle assumed leadership of Java, its feature roadmap has exploded – just look at the diversity of projects in the OpenJDK community and the features coming in Java 9 next year. In the last several years the Java Platform – and specifically the Java Virtual Machine (JVM) – have emerged as the de-facto object-code platform for a majority of new languages and frameworks.
Similarly, but less hyped, is the transformation of Java security. There is a movement taking place to virtually remediate Java’s API vulnerabilities without quarterly CPU patching. Driving this security transformation is an approach called ‘Runtime Application Self-Protection’ — which Gartner calls ‘must have technology’. Java RASP Containers eliminate the organizational headache and cost of quarterly Java Runtime Environment (JRE) patching by running vulnerable JRE versions — including older, unsupported JRE versions 5, 6, and 7 — inside protected, virtually-patched, JVM containers. Enterprise customers who have not already begun adopting Java RASP Container technologies to virtually remediate JRE vulnerabilities should begin exploring this new generation of application-security technology.