Oracle's Latest Critical Patch Update Includes 15 Fixes for Java SE
- By John K. Waters
- April 15, 2020
The latest Critical Patch Update (CPU) from Oracle, published today, addresses 397 security vulnerabilities across the company's product suite, including 15 patches for Java SE. Taken together, the Q2 CPU represents an 18 percent increase over the Q1 CPU, and a 33 percent increase year over year.
Oracle listed the versions affected by the vulnerabilities in a pre-release announcement. All 15 may be remotely exploitable without authentication, which means they may be exploited over a network without requiring user credentials.
Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number (http://cve.mitre.org ). The highest CVSS score this time around affecting Oracle Java SE is 8.3.
The list of Oracle Java SE products and versions affected by vulnerabilities addressed in this CPU includes:
- Java Advanced Management Console, version 2.16
- Oracle Java SE, versions 7u251, 8u241, 11.0.6, 14
- Oracle Java SE Embedded, version 8u241
This CPU also include five new security patches for Oracle's GraalVM. Two of the vulnerabilities addressed may be remotely exploitable without authentication.
Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.
The list of vulnerabilities in other Oracle products includes:
- 51 patches for Oracle Fusion Middleware
- 74 patches for Oracle E-Business Suite
- 16 patches for Oracle Knowledge
Oracle typically urges its customers to apply the security fixes in the latest CPU as soon as possible. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warns on its website. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Oracle publishes its patches on the Tuesday closest to the 17th of the month. Two more CPUs are scheduled for this year: July 14 and October 20.
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].