News

Oracle's Latest CPU: Nearly Two Dozen Fixes for Java SE

• By John K. Waters
• October 24, 2017

With its latest Quarterly Critical Patch Update (CPU), Oracle has addressed 250 vulnerabilities across hundreds of different products, including 22 vulnerabilities in the Java Platform Standard edition (Java SE).

More than 90 percent of these vulnerabilities can be exploited remotely without authentication; about 60 percent can allow attackers to perform remote Denial of Service attacks; and more than 72 percent of these vulnerabilities can be easily exploited, because their attack complexity is low. This CPU also patched four newly identified deserialization vulnerabilities in the Java Virtual Machine (JVM).

That breakdown is from Waratek, the Dublin-based app security tools provider with a special focus on Java. This CPU includes the first fixes for the newly released Java SE 9, Waratek noted, as well as optional JCE Unlimited Strength Policy Files that are standard in Java 9 that add unrestricted cryptographic strengths for Java versions 6 through 8. This will allow applications to use strong cryptographic algorithms, such as AES with 256-bit keys.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. The most severe of the 22 Java vulnerabilities earned the highest CVSS base score of 9.6 on a 10.0 scale.

Users running Java SE with a browser can download the latest release from Oracle's Java Web site. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release, the company said.

Oracle typically advises users of its products to apply the patches offered with each CPU as soon as possible, but the Equifax breach earlier this year added an air of urgency to this quarter's admonition:

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company wrote in its CPU announcement. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

On Sept. 22 Oracle issued an out-of-cycle Security Alert for CVE-2017-9805, an Apache Struts 2 vulnerability that affected the software's REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34, and 2.5.x before 2.5.13. The vulnerability opened the door to remote code execution when deserializing XML payloads. Back in April, Oracle distributed fixes for another Struts 2 vulnerability, CVE-2017-5638, which had been identified by Equifax in relation to its highly publicized breach. Oracle strongly advised its customers to apply both fixes, and stated that they "should have already been applied to customer systems."

Waratek's lead security architect, Apostolos Giannakidis, also noted the new urgency sparked by the Equifax breach.

"Since the July 2017 Oracle CPU, the world has been rocked by Equifax, KRACK and ROCA, giving new urgency to quickly patching these emerging vulnerabilities," Giannakidis said in a statement. "While smaller than recent CPUs, there are very important updates included in this critical patch, such as patches that fix the serialization flaws. And, even though it is always important pay attention to configuration issues, this CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application."

Serialization is the process of converting an object into a stream of bytes for transport and storage; deserialization reverses the process when the data is received.

Oracle's last CPU, issued in July, set a record with patches for 32 Java-related vulnerabilities. The problem, Giannakidis told ADTMag at the time, is that the Java Runtime is so complex.

"The amount of lines of code in the code base is considerable," he said. "With such a big code base, it makes sense that you are going to have increased vulnerabilities. The important thing to remember is that these vulnerabilities were already there, lurking in the code base for a long time, based on my analysis. It's a matter of spending time finding them. In fact, the vulnerabilities in the runtime are now the focus of the security community."

Each quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

Oracle's CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. The next CPU is scheduled for release in January 2018.