Q4 Oracle Critical Patch Update Preview

By October 15, 2018 October 25th, 2018 Blog, Patching

Java SE patches could increase in the final CPU of 2018

Total Java SE flaws are likely to drop for the year

The final Oracle Critical Patch Update (CPU) of 2018 may see a 20 percent increase in Java SE patches compared to Q3. However, the total number of Java SE patches for 2018 is set to drop by one-third compared to 2017’s record breaking number of bug-fixes, based on an analysis of a pre-release statement.

Java SE Patches

Other highlights of the pre-release include:

  • Eleven Java SE patches are expected in the Q4 update, addressing vulnerabilities in Java SE versions 6u201, 7u191, 8u182, and 11. The highest CVSS base score is expected to be nine on a ten-point scale.
  • Ninety-one percent (91%) of the Java SE vulnerabilities expected to be patched can be remotely exploited. The projected annual rate for remotely exploitable flaws is also 91 percent.
  • This Q4 Update is projected to contain three new security fixes for the Oracle Database Server, all of which may be remotely exploitable without authentication. These fixes apply to client-only installations and may include the Java Virtual Machine (JVM). The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8
  • The Q4 release could have as many as 302 total product patches across hundreds of products, a 10 percent drop from Q3 but the third highest quarterly total since January 2016.

Oracle will release the final version of the Q4 CPU mid-afternoon Pacific Daylight Time on Tuesday, 16 October. Waratek will follow shortly with a release of functional equivalent virtual patches for the Java SE and other Java related updates that require no downtime and no source code changes to fix the software flaws.


Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek