News

Oracle Releases 14 Java Security Patches, Last Patch Update for Java 7

• By John K. Waters
• April 17, 2015

Oracle's latest quarterly Critical Patch Update (CPU) includes 98 fixes for vulnerabilities in Oracle products, including 14 that address Java SE issues.

Three of the Java vulnerabilities identified (CVE-2015-0469, CVE-2015-0459, and CVE-2015-0491), earned a CVSS score of 10.0, the highest, and thus, the most severe on that scale. Vulnerabilities of that level of severity can be exploited over the network without authentication and can lead to a full compromise of the system's confidentiality and integrity.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products.

Eleven of the Java SE fixes are for client-only vulnerabilities, which can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. Two of the issues apply to Java Secure Socket Extension (JSSE) client and Server deployments, and one applies to Java client and Server deployments.

"The 'Critical' in the designation of the Critical Patch Update program is intended to highlight the importance of the fixes distributed through the program, wrote Eric P. Maurice, director of Oracle's Software Security Assurance group, in an Oracle Security blog post. "Oracle highly recommends that customers apply these Critical Patch Updates as soon as possible."

Maurice also noted that the CPUs are cumulative for most Oracle products, which means the application of the most recent update brings customers to the most recent security release, "and addresses all previously-addressed security flaws for these products."

John Matthew Holt, CTO of Dublin-based Java security vendor Waratek, agreed whole-heartedly with Maurice's admonition to apply these fixes quickly. "Applications running on any of JRE/JDK versions 5, 6, 7, and 8 which do not apply this patch are at risk of a dozen severe remotely-exploitable vulnerabilities which could result in the complete compromise of sensitive application data," he told ADTmag in an e-mail.

This CPU will be the last for Java 7; from now on, the only version of the Java Platform that will receive public security updates is Java 8. This is "huge news" that will cause "enormous headaches and disruption to millions of application owners around the world," he said.

"Applications running on any of the prior vulnerable versions of Java -- and there are millions of them -- have two options today: either commence a full upgrade, retest, and redeploy lifecycle onto the latest Java SE 8 update, or install any of the new Java Container RASP (Runtime Application Self-Protection) technologies that will quarantine and protect the Java Platform and the entire application stack automatically," he said.

Gartner has defined RASP as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." In other words, it's tech that makes it possible for apps to protect themselves.

"Oracle's rapid end of life schedule for Java versions is great for innovation and language evolution," Holt added. "However, there is a dangerous tradeoff. Now millions of Java 7 applications will have to defend themselves against code level vulnerabilities without the benefit of future fixes."