Java SE Patches in Latest Oracle's CPU Mark a 12-Month Low

A lot has changed in the Java world in the past year, but Oracle is still issuing its quarterly Critical Patch Updates (CPUs) like clockwork. With 334 new security fixes, the Q3 CPU offers a new two-year high for total Oracle product patches, but a 12-month low for Java SE patches. This CPU includes eight new Java SE patches, which is a 75 percent drop from a 30-month high set in July 2017.

"On the surface, the downward trend of Java SE patches would appear to be positive," said James Lee, executive vice president of Dublin-based app security tools provider Waratek, in a statement. "However, this trend may actually be a reflection of the adoption rates of Java SE 9 and 10, since the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java."

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. Sixty-one of the vulnerabilities covered by this CPU are rated critical with a CVSS rating between 9 and 10.

All of the eight Java SE vulnerabilities covered in this CPU may be remotely exploitable without authentication, which means they may be exploited over a network without requiring user credentials. The Oracle Database Server also gets three patches in this CPU, including one for the Java Virtual Machine.

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously-reported security issues.

Oracle typically recommends strongly that its customers apply the security fixes in the latest CPU as soon as possible. Users running Java SE with a browser can download the latest release from Java + You download page. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Oracle's CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. The next update is scheduled for October 16.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].