Oracle January 2020 CPU includes fewer Java SE patches, but the severity base scores are higher

By January 15, 2020 January 16th, 2020 Alerts, Blog, Patching

The number of Java SE patches in the quarterly Oracle Critical Patch Update (CPU) for January 2020 drops to 12 from the 20 included in October 2019’s CPU. But, 1/3rd of the fixed issues are high severity vulnerabilities. The overall number of patches included in the Q1 CPU is 334 compared to the 219 fixes included in the last CPU of 2019.

Waratek’s Advice to Customers & Prospects

Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Oracle CPU CVEs under their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.

Waratek Secure customers that have enabled the deserial rule in protect mode are already protected against CVE-2020-2604, CVE-2020-2555, CVE-2020-2551, CVE-2020-2546, and CVE-2016-1000031.

Waratek Secure and Patch customers that have enabled the process forking rule in protect mode are already protected against CVE-2019-2729.

Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.

Q1 CPU Java SE highlights

  • All of 12 of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
  • 33% of the fixed issues affect the JavaFX component.
  • 33% of the fixed issues are Java 8 specific.
  • 2 of the fixed issues are exploitable only via Kerberos.
  • 2 new deserialization issues were fixed; one of them (CVE-2020-2604) is of high severity and could allow attackers to fully compromise the JVM, the host system and the network.
  • CVE-2019-16168, a high severity Denial of Service vulnerability was fixed that affects Java apps that use SQLite. Attackers could remotely exploit this vulnerability to crash the JVM.

Regarding other Oracle products

  • 3 new deserialization issues were fixed in the Oracle Fusion Middleware – all of them are critical and could allow attackers to fully compromise the JVM, the host system and the network.
  • CVE-2019-2729, a critical Remote Command Execution vulnerability was patched in PeopleSoft Enterprise PeopleTools and Oracle Tape Library ACSLS. A working exploit for CVE-2019-2729 was publicly released in early January.
  • The popular 4-year-old critical Java deserialization vulnerability CVE-2016-1000031 found in the Apache Commons FileUpload library was patched in Oracle Utilities Work and Asset Management (v1) and in Oracle Tape Library ACSLS.
Apostolos Giannakidis

Author Apostolos Giannakidis

Apostolos drives the research and the design of the security features of Waratek’s RASP container. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham. Apostolos is acknowledged by Oracle for submitting two Java Deserialization vulnerabilities that were fixed in the Oracle January 2018 CPU and is featured on Google’s Vulnerability Reward Program Hall of Fame.

More posts by Apostolos Giannakidis