The number of Java SE patches in the quarterly Oracle Critical Patch Update (CPU) for January 2020 drops to 12 from the 20 included in October 2019’s CPU. But, 1/3rd of the fixed issues are high severity vulnerabilities. The overall number of patches included in the Q1 CPU is 334 compared to the 219 fixes included in the last CPU of 2019.
Waratek’s Advice to Customers & Prospects
Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Oracle CPU CVEs under their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.
Waratek Secure customers that have enabled the deserial rule in protect mode are already protected against CVE-2020-2604, CVE-2020-2555, CVE-2020-2551, CVE-2020-2546, and CVE-2016-1000031.
Waratek Secure and Patch customers that have enabled the process forking rule in protect mode are already protected against CVE-2019-2729.
Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.
Q1 CPU Java SE highlights
- All of 12 of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
- 33% of the fixed issues affect the JavaFX component.
- 33% of the fixed issues are Java 8 specific.
- 2 of the fixed issues are exploitable only via Kerberos.
- 2 new deserialization issues were fixed; one of them (CVE-2020-2604) is of high severity and could allow attackers to fully compromise the JVM, the host system and the network.
- CVE-2019-16168, a high severity Denial of Service vulnerability was fixed that affects Java apps that use SQLite. Attackers could remotely exploit this vulnerability to crash the JVM.
Regarding other Oracle products
- 3 new deserialization issues were fixed in the Oracle Fusion Middleware – all of them are critical and could allow attackers to fully compromise the JVM, the host system and the network.
- CVE-2019-2729, a critical Remote Command Execution vulnerability was patched in PeopleSoft Enterprise PeopleTools and Oracle Tape Library ACSLS. A working exploit for CVE-2019-2729 was publicly released in early January.
- The popular 4-year-old critical Java deserialization vulnerability CVE-2016-1000031 found in the Apache Commons FileUpload library was patched in Oracle Utilities Work and Asset Management (v1) and in Oracle Tape Library ACSLS.