News

Oracle's CPU Includes Only 12 Security Patches for Java SE

• By John K. Waters
• January 14, 2020

Oracle's first Critical Patch Update (CPU) of 2020, due this week, will include only 12 new security patches for Java Standard Edition (Java SE), just over half the patches published in October 2019. This CPU addresses 333 total new security vulnerabilities in Oracle's products.

Oracle listed the versions affected by the vulnerabilities in a pre-release announcement. All 12 may be remotely exploitable without authentication, which means they may be exploited over a network without requiring user credentials.

The Oracle Java SE products and versions affected by vulnerabilities are addressed in this CPU are:

• Oracle Java SE, versions 7u241, 8u231, 8u241, 11.0.5, 13.0.1
• Oracle Java SE Embedded, version 8u231

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number (http://cve.mitre.org ). The highest CVSS score this time around affecting Oracle Java SE is 8.1.

This CPU also includes five new security patches for Oracle GraalVM, three of which ]may be exploited over a network without requiring user credentials. The highest CVSS score of vulnerabilities affecting Oracle GraalVM is 9.8. The version affected is Oracle GraalVM Enterprise Edition, version 19.3.0.2

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

Oracle typically recommends strongly that its customers apply the security fixes in the latest CPU as soon as possible. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warns on its website. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

The company publishes its patches on the Tuesday closest to the 17th of the month. CPUs are scheduled this year for April 14, July 14, and October 20.