Alert

Oracle January 2020 CPU includes fewer Java SE patches, but the severity base scores are higher

Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Oracle CPU CVEs under their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.

Waratek Secure customers that have enabled the deserial rule in protect mode are already protected against CVE-2020-2604, CVE-2020-2555, CVE-2020-2551, CVE-2020-2546, and CVE-2016-1000031.

Waratek Secure and Patch customers that have enabled the process forking rule in protect mode are already protected against CVE-2019-2729.

Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.

 

Q1 CPU Java SE highlights

  • All of 12 of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
  • 33% of the fixed issues affect the JavaFX component.
  • 33% of the fixed issues are Java 8 specific.
  • 2 of the fixed issues are exploitable only via Kerberos.
  • 2 new deserialization issues were fixed; one of them (CVE-2020-2604) is of high severity and could allow attackers to fully compromise the JVM, the host system and the network.
  • CVE-2019-16168, a high severity Denial of Service vulnerability was fixed that affects Java apps that use SQLite. Attackers could remotely exploit this vulnerability to crash the JVM.

 

Regarding other Oracle products

  • 3 new deserialization issues were fixed in the Oracle Fusion Middleware – all of them are critical and could allow attackers to fully compromise the JVM, the host system and the network.
  • CVE-2019-2729, a critical Remote Command Execution vulnerability was patched in PeopleSoft Enterprise PeopleTools and Oracle Tape Library ACSLS. A working exploit for CVE-2019-2729 was publicly released in early January.
  • The popular 4-year-old critical Java deserialization vulnerability CVE-2016-1000031 found in the Apache Commons FileUpload library was patched in Oracle Utilities Work and Asset Management (v1) and in Oracle Tape Library ACSLS.

Related alerts

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.