With its latest Quarterly Critical Patch Update (CPU), Oracle has addressed 250 vulnerabilities across hundreds of different products, including 22 vulnerabilities in the Java Platform Standard edition (Java SE).
More than 90 percent of these vulnerabilities can be exploited remotely without authentication; about 60 percent can allow attackers to perform remote Denial of Service attacks; and more than 72 percent of these vulnerabilities can be easily exploited, because their attack complexity is low. This CPU also patched four newly identified deserialization vulnerabilities in the Java Virtual Machine (JVM).
That breakdown is from Waratek, the Dublin-based app security tools provider with a special focus on Java. This CPU includes the first fixes for the newly released Java SE 9, Waratek noted, as well as optional JCE Unlimited Strength Policy Files that are standard in Java 9 that add unrestricted cryptographic strengths for Java versions 6 through 8. This will allow applications to use strong cryptographic algorithms, such as AES with 256-bit keys.
Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. The most severe of the 22 Java vulnerabilities earned the highest CVSS base score of 9.6 on a 10.0 scale.
Users running Java SE with a browser can download the latest release from Oracle’s Java Web site. Users on the Windows and Mac OS X platforms can also use automatic updatesto get the latest release, the company said.
Oracle typically advises users of its products to apply the patches offered with each CPU as soon as possible, but the Equifax breach earlier this year added an air of urgency to this quarter’s admonition:
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the company wrote in its CPU announcement. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
Written by John K. Waters