The recent media attention focused on patching software could get a shot of rocket fuel on Tuesday with the release of the next Oracle Critical Patch Update (CPU). In a pre-release statement, Oracle has revealed that the October 2017 CPU is likely to see nearly two dozen fixes to Java SE, the most common language used for web applications. New security fixes for the widely used Oracle Database Server are also expected along with patches related to hundreds of other Oracle products.
Most of the Java related flaws can be exploited without needing user credentials, with the highest vulnerability score expected to be 9.6 on a 10.0 scale. The CPU could also include the first patches related to the latest version of Java – Java 9 – which was released in September.
Oracle is also expected to include advanced encryption capabilities included in Java 9 (JCE Unlimited Strength Policy Files) for previous Java versions 8 – 6.
The October CPU comes on the heels of a September out-of-cycle Security Alert from Oracle addressing flaws exploited in the Equifax attack. The Alert followed the announcement of vulnerabilities in the Struts 2 framework by Apache that were deemed too critical to wait for distribution in the quarterly patch update.
IBM also issued an out-of-cycle patch to address flaws in IBM’s Java related products in the wake of the Equifax breach.
The Equifax attack has put a spotlight on the vital importance of rapidly applying security patches as well as the continuing struggle of security teams to keep pace with the increasing pace and size of patches. So far in 2017, NIST’s National Vulnerability Database has catalogued 11,525 new software flaws and has tracked more than 95,000 known vulnerabilities.
Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, 17 October.