Q3 Oracle CPU Preview: Fewer Java SE Patches May Not Mean Fewer Flaws

Monday, July 16, 2018

James Lee

0b8e9d7009308c174e700bcaf89c4474

The July 2018 quarterly Oracle Critical Patch Update (CPU) is expected to set a new two-year high for total Oracle product patches and a 12-month low for Java SE patches, based on a review of a pre-release statement. The Q3 release could have as many as 334 total product patches, the highest in 11 quarters. Only eight Java SE patches are expected, representing a 75 percent drop from a 30-month high set in July 2017.

Other highlights of the pre-release include:

  • 100 percent of the Java SE vulnerabilities expected to be patched can be exploited remotely without user credentials.
  • The expected patches address flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. The highest vulnerability base score among the flaws is nine on a ten point scale.
  • The Oracle Database Server may also get three patches, including to the Java Virtual Machine. The highest CVSS base score is expected to be 9.8, and one of the flaws can be exploited without user credentials.

On the surface, the downward trend of Java SE patches would appear to be positive. However, it may actually be more of a reflection of the adoption rates of Java SE 9 & 10 as the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java.

Oracle will release the final version of the CPU mid-afternoon Pacific Daylight Time on Tuesday, July 17th.

About the author: James E. Lee is the Executive Vice President and Global CMO at Waratek. He was theformer CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair.

40698
Vulnerabilities Webappsec->General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.