News

Oracle's Latest CPU Includes 20 Security Patches for Java SE

• By John K. Waters
• October 22, 2019

Oracle’s latest quarterly Critical Patch Update (CPU) provides 219 new security patches across Oracle’s product line, including 20 new patches for Java SE. But none of the Java patches in this CPU earned a CVSS risk score of greater than 6.8 out of 10.0.

The Java versions affected by this CPU are Java SE, versions 7u231, 8u221, 11.0.4, 13; and Java SE Embedded, version 8u221.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number (http://cve.mitre.org). The highest CVSS score this time around (6.8) went to CVE-2019-2909, a vulnerability in the Java VM component of Oracle Database Server.

Oracle describes CVE-2019-2909 as a “difficult to exploit vulnerability” that allows an unauthenticated attacker with network access via multiple protocols to compromise the JVM. “While the vulnerability is in Java VM, attacks may significantly impact additional products,” Oracle explained. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all JVM-accessible data.

The vulnerability with the highest CVSS score for this CPU is CVE-2018-14721, which earned a 10.0. This is a vulnerability in the Oracle NoSQL Database related to jackson-databind for versions prior 19.3.12. Easily exploitable, it allows an unauthenticated attacker with network access via HTTP to compromise Oracle NoSQL Database. A successful attack could result in the takeover of the DB.

(According to the National Vulnerability Database, this vulnerability has been modified since it was last analyzed, and is awaiting reanalysis, “which may result in further changes to the information provided.”)

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

Oracle typically recommends strongly that its customers apply the security fixes in the latest CPU as soon as possible. “Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the company warns on its website. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

This was the last Oracle CPU of 2019. The company releases its patches on the Tuesday closest to the 17th of the moth, which in 2020 will be: January 14, April 14, July 14, and October 20.