News

Oracle's Latest Critical Patch Update Includes 15 Fixes for Java SE

• By John K. Waters
• April 15, 2020

The latest Critical Patch Update (CPU) from Oracle, published today, addresses 397 security vulnerabilities across the company's product suite, including 15 patches for Java SE. Taken together, the Q2 CPU represents an 18 percent increase over the Q1 CPU, and a 33 percent increase year over year.

Oracle listed the versions affected by the vulnerabilities in a pre-release announcement. All 15 may be remotely exploitable without authentication, which means they may be exploited over a network without requiring user credentials.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number (http://cve.mitre.org ). The highest CVSS score this time around affecting Oracle Java SE is 8.3.

The list of Oracle Java SE products and versions affected by vulnerabilities addressed in this CPU includes:

• Java Advanced Management Console, version 2.16
• Oracle Java SE, versions 7u251, 8u241, 11.0.6, 14
• Oracle Java SE Embedded, version 8u241

This CPU also include five new security patches for Oracle's GraalVM. Two of the vulnerabilities addressed may be remotely exploitable without authentication.

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

The list of vulnerabilities in other Oracle products includes:

• 51 patches for Oracle Fusion Middleware
• 74 patches for Oracle E-Business Suite
• 16 patches for Oracle Knowledge

Oracle typically urges its customers to apply the security fixes in the latest CPU as soon as possible. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warns on its website. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Oracle publishes its patches on the Tuesday closest to the 17th of the month. Two more CPUs are scheduled for this year: July 14 and October 20.