Waratek Issues Guidance on Oracle April 2018 CPU
April 2018 by Waratek
Waratek, the compiler-based application security company, has issued guidance on Oracle’s latest Critical Patch Update (CPU) for April 2018, which addresses 254 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
This Critical Patch Update patches 15 Java-related vulnerabilities including one flaw identified by Waratek. The number of Java SE patches in the Q2 CPU dropped by 1/3rd from 21 to 14, but the percentage of flaws that do not require authentication to be exploited remains the same as Q1 – 86%. The highest CVSS Score of the Java SE vulnerabilities is 8.3.
“The April CPU arrives during the largest gathering of security experts in the world - the annual RSA Conference - and reinforces a recurring theme during discussions at the event: unpatched software flaws represent the single largest cybersecurity threat today,” said Waratek Founder and Chief Technology Officer John Matthew Holt.
“The volume of velocity of patches and the length of time it takes to patch enterprise applications make it next to impossible to fix flaws fast enough to significantly reduce the risk of being exploited by a known flaw,” added Holt. “True virtual patching - when code bugs are replaced in real time while the app runs with patches that mirror a physical binary - is the fastest and most accurate way to close the gap between when vulnerabilities are announced and attacks begin.”
Waratek will publish functional equivalent virtual patches based on the CPU for customers to apply without source code changes and without taking a vulnerable application out of production.
Other highlights of the release include:
• New security fixes for the widely used Oracle Database Server only involve the Java Virtual Machine. The vulnerability patched has a CVSS Base Score of 8.5 on a 10 point scale, but is not remotely exploitable.
• Out of the Java SE 14 fixes, seven are fixes for Java deserialization vulnerabilities.
• The Q2 CPU introduces a new built-in serialization filter for the JCE KeyStore. This new filter continues the tradition of built-in serialization filters of the JEP-290 Serialization Filtering mechanism that was first introduced in January 2017. The new built-in filter, named JCEKS Encrypted Key Serial Filter, restricts the expected types of the SecretKey to a set of predefined types. Note that because this new filter is enabled by default, Java SE users must profile their applications and make sure that the new built-in filter does not break their existing, legitimate functionality, before they deploy this new Java SE release in production. Users storing a SecretKey that does not serialize to the expected/default types must modify the filter to allow the key to be deserialized.
• One half of the identified vulnerabilities affect the confidentiality of the Java Virtual Machine and almost 80% affect the availability of the JVM.
• Two critical vulnerabilities affect only the newly released Java 10, but there are no critical patch updates for Java 9 - released in September 2017 - which has been replaced by the March 2018 release of Java 10. Java 9 users must now upgrade to Java 10 to utilize public critical patch updates from Oracle. Java 11 is due later this year.