News

Oracle's Summer CPU Fixes 10 Java Security Vulnerabilities

• By John K. Waters
• July 16, 2019

Oracle is set to release its latest Critical Patch Update (CPU) today. This quarterly collection of patches for multiple security vulnerabilities is expected to contain 322 patches across Oracle's product line, including 10 security fixes for Java Standard Edition (Java SE).

Nine of the Java SE vulnerabilities are remotely exploitable without authentication, the company said in a pre-release announcement, which means they can be exploited over a network without requiring user credentials. The Java SE products and versions affected by these vulnerabilities, and for which Oracle provides fixes with this CPU are Java SE, versions 7u221, 8u212, 11.0.3, 12.0.1; and Java SE Embedded, version 8u21.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number and a score ranging from 0 to 10, with 10 being the most severe. The highest CVSS score of vulnerabilities affecting Java SE that are addressed in this CPU is 6.8.

This CPU is also expected to include two new security fixes affecting Oracle GraalVM Enterprise Edition, version 19.0.0, which was released earlier this month. One of these vulnerabilities can be remotely exploited without authentication. The highest CVSS score affecting the GraalVM is 7.7.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products," the company said in a pre-release announcement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible."

As of this writing, the official CPU has yet to be published. "While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory," Oracle said in its announcement.

The company issued an out-of-band security fix earlier this month, addressing a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services (CVE-2019-2729). This remote code execution vulnerability is remotely exploitable without authentication. "Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," Oracle said in its security alert.

Java object serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data are received. It can also be used to reconstruct an object graph from a stream. Oracle addressed a Java deserialization vulnerability caused by the Apache Commons FileUpload dependency in its last CPU.

The Oracle CPUs are scheduled for Oct. 15 of this year, and Jan. 14 and April 14, 2020.