Overall trends point to continued risks from remote control execution vulnerabilities
The number of patches in the quarterly Oracle Critical Patch Updates (CPU) for April 2019 is 297, still fewer than this time last year, but up slightly from the Q1 reports. Of the 5 vulnerabilities that affect Java SE, all of these were remotely exploitable without the need for authentication.
Other highlights of the CPU release include:
- There are a total of five new fixes in Java SE, with the highest CVSS score being 9 on a scale of 10. This indicated that the vulnerability is exploitable without user credentials.
- This quarter’s CPU fixes vulnerabilities that allow Remote Code Execution on the system with 80% of the flaws affecting system availability.
- One of the Java SE patches fixes is critical; four are high and one is medium.The critical Java SE vulnerability affects only Java 8 deployments on Windows.
- The CPU for Java SE release patches flaws in Java SE versions 7u211, 8u202, 11.0.2, and 12.
- The April CPU release for Java SE fixes a performance regression that was introduced in Java 8u202, that can incur up to 7400% performance overhead in applications that make heavy use of sun.misc.Unsafe and the Reflection API.
- 19 different Oracle products across the whole Oracle software stack were patched against the popular, 3-year-old, vulnerability CVE-2016-1000031, which is a Java deserialization vulnerability caused by the Apache Commons FileUpload dependency. Products affected include the Oracle Banking Platform, Oracle API Gateway, Oracle WebCenter Portal (Fusion), Primavera P6 Enterprise, Oracle Siebel CRM and many more.
- There are three new critical vulnerability fixes in the Oracle WebLogic Server.
- There are at least six new Java deserialization vulnerability fixes in the Oracle WebLogic Server that can allow remote code execution on vulnerable systems.
Last quarter, Java SE also had 5 released patches with the highest CVSS score being 6.1. This quarter also saw 5 Java SE patches, all but one fell below the highest severity of last quarter. The timing is interesting, as Oracle appears to have patched much more critical flaws in this release, which also happens to be the first CPU issue since the new Java SE licensing took effect.
Waratek Enterprise and Waratek Secure customers are already protected by the platform’s zero-day and zero-false-positives protection features against code injection, command injection, unsafe deserialization, and arbitrary file upload attacks. Waratek Patch will receive runtime virtual patches that address the April 2019 CVEs under their agreements.
Non-customers should follow Oracle’s advice and apply the critical patch updates without delay. Please note that this is the first CPU release since the new Oracle licensing model took effect. If you have questions about Java SE licensing, please refer to Oracle’s FAQ here.
Oracle customers with Java 6 applications have no remediation from Oracle for those vulnerabilities present, so “must investigate new security alternatives using Runtime Patching Solutions.
Apostolos Giannakidis, Waratek’s Lead Security Architect contributed to this Alert.