DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Guidance on Oracle October 2018 Critical Patch Update

Guidance on Oracle October 2018 Critical Patch Update

The last CPU of the year includes the first patch for Java 11. Click here to learn more about the new critical patch update for Java 11!

James Lee user avatar by
James Lee
·
Oct. 17, 18 · News
Like (1)
Save
Tweet
Share
5.12K Views

Join the DZone community and get the full member experience.

Join For Free

The final Oracle Critical Patch Update (CPU) of 2018 fixes 12 Java SE-related vulnerabilities and a dozen new WebLogic flaws, part of the 301 patches across Oracle's product set. The number of Java SE flaws patched during the year is down 30 percent over 2017's record high, but the number of vulnerabilities that can be exploited without credentials remains very high at 89 percent.

Other highlights from the release include:

  1. One-third of the 12 new Java SE bugs carry a severity rating of high or critical; 11 of the 12 can be remotely exploited. Eight of the 12 new WebLogic vulnerabilities are critical.
  2. WebLogic is still plagued by Java deserialization vulnerabilities as many of the patches in this CPU are directed at preventing these exploits.
  3. Three legacy components, namely in Oracle Real-Time Decision Server, Oracle Adaptive Access Manager, and in Oracle Communications Performance Intelligence Center (PIC), have been patched, which are based on the Apache Struts 1 framework that has been EOL for 10 years.
  4. Oracle performed a deep-dive into their third-party dependencies and fixed more than 80 Java vulnerable components. Some of the vulnerable components had been vulnerable since 2014 (e.g. CVE-2014-3490).

Advice

Java SE Patches 2016-2018Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Q4 CVEs under their agreements. Some CVEs are also addressed in Waratek's built-in CWE rules that offer active zero-day protection with zero tuning or configuration. For example, Waratek Enterprise users are already protected against all of these new deserialization vulnerabilities in WebLogic.

Contact your Waratek representative for details:

Non-customers should follow Oracle's advice and apply the critical patch updates without delay.

WebLogic users that cannot immediately apply the latest CPU should consider preventing unauthorized T3 access through a firewall/proxy or via connection filters according to the instructions provided by Oracle in the support document 2076338.1. Additionally, WebLogic users could consider configuring the JVM's global deserialization filter (JEP-290) after carefully profiling their apps.

Legacy Versions of Java Remain a Risk

Java 8 is set for end-of-public support in January 2019, but the vast majority of patches in the Q4 and preceding updates address flaws in Java 8 and earlier versions of Java. In fact, this CPU includes fixes for CVEs dating back four years.

Only a relative handful of CVEs linked to Java 9, 10, and now, 11, have been issued since the release of Java 9 in July 2017. Yet, various researchers continue to report that the vast majority of new enterprise applications continue to be written in Java 8. Java also remains the most popular programming language overall.

This creates a quandary for many organizations that are mandated to operate their applications on the most current version of the Java platform: incur the time, expense and risk of breaking functionality to upgrade/rewrite an application - or - virtually upgrade an out-of-support application using a compiler-based solution that instantly lifts a legacy application to a current version of Java without source code changes.

Failing to Apply Patches Is Also Risky

Oracle advises Java users to apply all critical patches "without delay." This is often not practical for organizations regardless of the size and complexity of a business. The amount of time required to patch enterprise applications in large businesses and the resource constraints in smaller ones, coupled with the risk of breaking an application's functionality, are common barriers to applying binary patches on a timely basis.

Applying runtime virtual patches using the compiler of the Java Virtual Machine allows for functional equivalent patches to fix flawed code without downtime, source code changes or risk of breaking an application.

For more information about how the October 2018 Oracle Critical Patch Update may impact your applications and how we can help protect your applications with no downtime or source code changes, please contact Waratek.

About Waratek

Some of the world's leading companies use Waratek to patch, secure, and upgrade their mission-critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks and virtually upgrade out-of-support Java applications — all without time —consuming and expensive source code changes or unacceptable performance overhead.

Patch (computing) Application security Java (programming language)

Published at DZone with permission of James Lee, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Visual Network Mapping Your K8s Clusters To Assess Performance
  • The Top 3 Challenges Facing Engineering Leaders Today—And How to Overcome Them
  • An Introduction to Data Mesh
  • Top 10 Secure Coding Practices Every Developer Should Know

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: