Oracle Jan 2018 CPU Preview:

By January 15, 2018 April 30th, 2019 Blog

What to Expect in 2018’s First Oracle Critical Patch Update

Overall trends point to increased risks from vulnerable code

After two weeks of focusing on Bond-esque vulnerabilities found in microprocessors, it’s time to turn attention to the bellwether of software flaws – the quarterly Oracle Critical Patch Update (CPU).  In a pre-release statement, Oracle indicates the first CPU of 2018 will likely be the smallest patch update since April 2016.

Don’t celebrate just yet.  The overall number of flaws patched may be lower, but it’s also likely the number of Java SE vulnerabilities will be flat to the October 2017 CPU and represent a year-over-year increase compared to January 2017.  New security fixes for the widely used Oracle Database Server are also expected to involve the Java Virtual Machine.

Most of the Java related flaws can be exploited without needing user credentials, with the highest vulnerability base score expected to be 8.3 on a 10.0 scale.  The CPU could also include fixes for flaws in Java SE versions 6 though 9.

Java SE Vulnerability Patches

The January 2018 CPU will be released into an environment where virtually every enterprise on the planet is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be applied.  Companies that do business in the European Union are also coming to realize that a breach is not their only risk of incurring a large fine under the pending GDPR security rules – so is a failure to patch.

The Information Commissioner’s Office (ICO) of the United Kingdom cited a “seriously inadequate” patching program when assessing a £400,000 ($675,000) fine for a 2015 breach that exposed personal data for 3.3 million customers and 1,000 employees.  The ICO indicated failure to apply patches now could result in GDPR fines when enforcement begins in May.

Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, 16 January.   Waratek will release virtual patches for the CPU shortly thereafter.


Oracle January 2018 CPU is now out, read our Customer Alert


 

Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X