Overall trends point to continued risks from vulnerable code
The number of Java related patches in the Q2 Oracle Critical Patch Updates (CPU) continues to drift down off the all-time high in July 2017, but the number of vulnerabilities that can be remotely exploited remains alarmingly high. In a pre-release statement, Oracle indicates more than 3/4s of the Java SE flaws in this CPU require no authentication to launch a successful attack.
Other highlights of the pre-release include:
- New security fixes for the widely used Oracle Database Server are expected to only involve the Java Virtual Machine. The vulnerability expected to be patched has a CVSS Base Score of 8.5 on a 10 point scale, but is not remotely exploitable.
- The number of Java SE patches in the Q2 CPU is expected to drop by 1/3rd from 21 to 14 flaws patched, but the percentage of flaws that do not require authentication to exploit remains the same as Q1 – 86%. The highest CVSS Score of the Java SE vulnerabilities is 8.3.
- The first patch for the recently released Java 10 is likely to appear in the Q2 CPU, along with fixes for Oracle Java SE 6u181, 7u161, 7u171, 8u152, and 8u162.
- The preview release does not list any critical patch updates for Java 9 – released in September 2017 – which has been replaced by the March 2018 release of Java 10. Java 9 users must now upgrade to Java 10 to utilize public critical patch updates from Oracle. Java 11 is due later this year.
The April CPU will be released just weeks before enforcement begins for the European Union’s General Data Protection Regulation (GDPR) and as the world’s cybersecurity leaders will be gathered in San Francisco for the annual RSA Conference. How to close the gap between the time a vulnerability and patch are announced and the time organizations are able to apply the fix will a the topic of conversation at the conference.
Under GDPR and new NY Department of Financial Services regulations, for the first time organizations can be fined for poor security practices even if they are not the victim of a successful cyberattack. Simply failing to comply with the regulations – leaving a known flaw unpatched, for example – is enough to trigger a compliance action.
Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, 17 April. Waratek will release virtual patches for the Q2 CPU thereafter.