Oracle’s first Quarterly Critical Patch Update (CPU) of 2018 provided fixes for 237 vulnerabilities across its product lines, including patches for 21 security holes in the Java Platform Standard edition (Java SE), 18 of which are remotely exploitable without authentication.
The latest CPU provides the fewest fixes for Oracle’s products since last April — except for Java SE, for which the company provided 22 fixes last quarter. The consistent number of patches, quarter to quarter, is a reminder that people must keep up with Java security, said John Matthew Holt, CTO of security firm Waratek, because the vulnerabilities are not going away any time soon.
Holt also pointed out that 28.5 percent of the vulnerabilities patched for the Java platform in this CPU address unsafe deserialization. Serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received.
“Oracle began fixing the first of the unsafe deserialization vulnerabilities discovered in the Java Platform last January,” Holt noted. “People were hoping that there would be one or two in isolation. But there has been a significant footprint of unsafe deserialization in every CPU since. It shows how challenging it is to deal with this vulnerability type in the core Java platform.”
Waratek, a Dublin-based app security tools provider with a special focus on Java, discovered two of the unsafe deserialization flaws patched with this CPU. “Waratek researched the JRE (Java Runtime Environment) codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication,” the stated in an advisory released Jan. 18.
An unsafe deserialization flaw was discovered last year in Apache Struts web app framework, which allowed attackers to seize control of any server running REST apps built with Struts. The Apache Software Foundation released a patch in September. A month later, an unsafe deserialization flaw was found in RubyGems, the maintainers of which issued a patch.
“We should all remember that the same unsafe deserialization problem is not only linked to the Java Platform,” Holt said, “but also the major frameworks and software components that are going to be built from Java.”
Read the full article here.
Article written by John Waters, ADT Magazine