News

Oracle's First CPU of 2018: Smallest Since Last April, Except for Java

• By John K. Waters
• January 30, 2018

Oracle's first Quarterly Critical Patch Update (CPU) of 2018 provided fixes for 237 vulnerabilities across its product lines, including patches for 21 security holes in the Java Platform Standard edition (Java SE), 18 of which are remotely exploitable without authentication.

The latest CPU provides the fewest fixes for Oracle's products since last April -- except for Java SE, for which the company provided 22 fixes last quarter. The consistent number of patches, quarter to quarter, is a reminder that people must keep up with Java security, said John Matthew Holt, CTO of security firm Waratek, because the vulnerabilities are not going away any time soon.

Holt also pointed out that 28.5 percent of the vulnerabilities patched for the Java platform in this CPU address unsafe deserialization. Serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received.

"Oracle began fixing the first of the unsafe deserialization vulnerabilities discovered in the Java Platform last January," Holt noted. "People were hoping that there would be one or two in isolation. But there has been a significant footprint of unsafe deserialization in every CPU since. It shows how challenging it is to deal with this vulnerability type in the core Java platform."

Waratek, a Dublin-based app security tools provider with a special focus on Java, discovered two of the unsafe deserialization flaws patched with this CPU. "Waratek researched the JRE (Java Runtime Environment) codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication," the stated in an advisory released Jan. 18.

An unsafe deserialization flaw was discovered last year in Apache Struts web app framework, which allowed attackers to seize control of any server running REST apps built with Struts. The Apache Software Foundation released a patch in September. A month later, an unsafe deserialization flaw was found in RubyGems, the maintainers of which issued a patch.

"We should all remember that the same unsafe deserialization problem is not only linked to the Java Platform," Holt said, "but also the major frameworks and software components that are going to be built from Java."

Oracle's latest CPU includes patches for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) processor vulnerabilities that were disclosed on Jan. 3.

"This CPU is released into an environment where virtually every enterprise on the planet that is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be routinely applied," said Waratek EVP James Lee in a statement. "Companies that do business in the European Union are also coming to realization that a breach is not their only risk of incurring a large fine under the pending GDPR security rules – so is a failure to patch."

"I think it's also important to recognized that Oracle and the community's investment in Java means that problems and vulnerabilities are found and fixed at a faster rate than many of the other software development languages," Hole said. "The apparent proliferation of these vulnerabilities is evidence of a good quality security program being applied to the platform to find them and try to fix them."

Each Oracle Quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously-reported security issues.

Oracle's CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. The next four dates are:

• 17 April 2018
• 17 July 2018
• 16 October 2018
• 15 January 2019