By John K. Waters
Twenty-three of the Java vulnerabilities are remotely exploitable without authentication, explained Eric P. Maurice, director of Oracle’s Software Security Assurance group, in an Oracle Security blog post. Sixteen of the Java SE fixes are for Java client-only; one is for the client installation of Java SE; and five are for client and server deployment.
This CPU also includes a fix specifically for the Mac platform, and four for the Java Secure Socket Extension (JSSE) client and server deployments.
Seven of the 25 Java vulnerabilities addressed in this CPU earned a CVSS rating of 10.0 — very serious. Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. This CPU relied on the 2.0 version of that rating system, but version 3.0 is now available and will likely be used in the next quarterly update. The Forum of Incident Response and Security Teams (FIRST) announced the availability of CVSS 3.0 in June. The latest version has been under development for three years.
John Matthew Holt, CTO of Dublin-based Java security vendor Waratek, pointed out in an e-mail that, of the 25 CVEs fixed in this patch, 24 of them (96 percent) affect Java SE 8, the latest and most up-to-date Java version — revealing, he said, that the security of Java’s APIs has not significantly improved over time. He also noted that Java SE 7 is no longer being provided with public security updates. “So enterprises running Java SE 7 applications — which is virtually every large enterprise today — cannot automatically download and apply these important security fixes,” he said.