DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Guidance on Oracle July 2018 Critical Patch Update

Guidance on Oracle July 2018 Critical Patch Update

100 percent of the Java SE flaws in the Oracle July 2018 Critical Patch Update (CPU) can be exploited remotely. Learn more below.

John Matthew Holt user avatar by
John Matthew Holt
·
Apostolos Giannakidis user avatar by
Apostolos Giannakidis
·
Jul. 20, 18 · News
Like (2)
Save
Tweet
Share
5.32K Views

Join the DZone community and get the full member experience.

Join For Free

The Oracle July 2018 Critical Patch Update (CPU) fixes eight (8) Java SE-related vulnerabilities, all of which can be remotely exploited by hackers without user credentials. Five (5) new critical Java vulnerabilities were also fixed in the WebLogic Server, all of which are remotely exploitable without authentication.

Other highlights from the release include:

  • The Q3 release patches flaws in Java SE versions 6u191, 7u181, 8u172, and 10.0.1. CVE-2018-2972 affects Java 10 and CVE-2018-2942 affects deployments on Windows.
  • Half of the Java SE flaws affect server deployments and half affect client-side deployments. 75 percent of the Java SE vulnerabilities affect a system's confidentiality and 75 percent affect system availability.
  • This CPU fixes more new deserialization vulnerabilities in the JDK.

Application Functionality Is at Risk

Several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.

The risks of the July updates breaking functionality include:

  • The fix for the most critical Java SE vulnerability in the July CPU – CVE-2018-2938 – removes the vulnerable component (Java DB) from the JDK. Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications.

Waratek Patch customers are unaffected by this JDK component removal. Waratek Patch customers can obtain the virtual patch for CVE-2018-2938 from Waratek, eliminating the need to obtain the latest Apache Derby artifacts and rebuild their applications. Waratek virtual patches are applied in real-time with no downtime or source code changes.

  • The July CPU release changes the algorithms used in endpoint identification of LDAPS. Applications that us LDAP over TLS connections may stop functioning properly. If backward combability issues arise, Oracle recommends to disable endpoint identification using a new system property.

com.sun.jndi.ldap.object.disableEndpointIdentification.

Waratek Patch customers are not affected by this potentially backward incompatible change of the JDK.

  • New deserialization controls in the JDK limit the object creation phase of deserialization. These new security controls may break reflective frameworks that make use of JDK-internal APIs. These security checks can be disabled to allow these reflective frameworks to work normally by setting the system disableSerialConstructorChecks to the value “true”.

By disabling these security checks, attackers can potentially exploit this attack vector.

Waratek Enterprise users are already protected against this deserialization attack vector while allowing reflective frameworks to work as expected.

  • WebLogic is still plagued by Java deserialization vulnerabilities (CVE-2018-7489). Note that there are claims by a security researcher on Twitter that more zero-day Remote Command Execution (RCE) deserialization vulnerabilities have been reported to Oracle for WebLogic that were not fixed in the July CPU.

Waratek Enterprise users are already protected against these new deserialization vulnerabilities in WebLogic.

For more information about how the July 2018 Oracle Critical Patch Update may impact your applications or how we can help patch and protect your applications with no downtime or source code changes, please contact Waratek.

Image title

Patch (computing) Java (programming language) application Vulnerability

Published at DZone with permission of John Matthew Holt, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Beginners’ Guide to Run a Linux Server Securely
  • The Importance of Delegation in Management Teams
  • Asynchronous HTTP Requests With RxJava
  • Kotlin Is More Fun Than Java And This Is a Big Deal

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: