Java SE patches could increase in the final CPU of 2018
Total Java SE flaws are likely to drop for the year
The final Oracle Critical Patch Update (CPU) of 2018 may see a 20 percent increase in Java SE patches compared to Q3. However, the total number of Java SE patches for 2018 is set to drop by one-third compared to 2017’s record breaking number of bug-fixes, based on an analysis of a pre-release statement.
Other highlights of the pre-release include:
- Eleven Java SE patches are expected in the Q4 update, addressing vulnerabilities in Java SE versions 6u201, 7u191, 8u182, and 11. The highest CVSS base score is expected to be nine on a ten-point scale.
- Ninety-one percent (91%) of the Java SE vulnerabilities expected to be patched can be remotely exploited. The projected annual rate for remotely exploitable flaws is also 91 percent.
- This Q4 Update is projected to contain three new security fixes for the Oracle Database Server, all of which may be remotely exploitable without authentication. These fixes apply to client-only installations and may include the Java Virtual Machine (JVM). The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8
- The Q4 release could have as many as 302 total product patches across hundreds of products, a 10 percent drop from Q3 but the third highest quarterly total since January 2016.
Oracle will release the final version of the Q4 CPU mid-afternoon Pacific Daylight Time on Tuesday, 16 October. Waratek will follow shortly with a release of functional equivalent virtual patches for the Java SE and other Java related updates that require no downtime and no source code changes to fix the software flaws.