Guidance on Oracle October 2018 Critical Patch Update

The final Oracle Critical Patch Update (CPU) of 2018 fixes 12 Java SE-related vulnerabilities and a dozen new WebLogic flaws, part of the 301 patches across Oracle's product set. The number of Java SE flaws patched during the year is down 30 percent over 2017's record high, but the number of vulnerabilities that can be exploited without credentials remains very high at 89 percent.

Other highlights from the release include:

1. One-third of the 12 new Java SE bugs carry a severity rating of high or critical; 11 of the 12 can be remotely exploited. Eight of the 12 new WebLogic vulnerabilities are critical.
2. WebLogic is still plagued by Java deserialization vulnerabilities as many of the patches in this CPU are directed at preventing these exploits.
3. Three legacy components, namely in Oracle Real-Time Decision Server, Oracle Adaptive Access Manager, and in Oracle Communications Performance Intelligence Center (PIC), have been patched, which are based on the Apache Struts 1 framework that has been EOL for 10 years.
4. Oracle performed a deep-dive into their third-party dependencies and fixed more than 80 Java vulnerable components. Some of the vulnerable components had been vulnerable since 2014 (e.g. CVE-2014-3490).

Advice

Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Q4 CVEs under their agreements. Some CVEs are also addressed in Waratek's built-in CWE rules that offer active zero-day protection with zero tuning or configuration. For example, Waratek Enterprise users are already protected against all of these new deserialization vulnerabilities in WebLogic.

Contact your Waratek representative for details:

Non-customers should follow Oracle's advice and apply the critical patch updates without delay.

WebLogic users that cannot immediately apply the latest CPU should consider preventing unauthorized T3 access through a firewall/proxy or via connection filters according to the instructions provided by Oracle in the support document 2076338.1. Additionally, WebLogic users could consider configuring the JVM's global deserialization filter (JEP-290) after carefully profiling their apps.

Legacy Versions of Java Remain a Risk

Java 8 is set for end-of-public support in January 2019, but the vast majority of patches in the Q4 and preceding updates address flaws in Java 8 and earlier versions of Java. In fact, this CPU includes fixes for CVEs dating back four years.

Only a relative handful of CVEs linked to Java 9, 10, and now, 11, have been issued since the release of Java 9 in July 2017. Yet, various researchers continue to report that the vast majority of new enterprise applications continue to be written in Java 8. Java also remains the most popular programming language overall.

This creates a quandary for many organizations that are mandated to operate their applications on the most current version of the Java platform: incur the time, expense and risk of breaking functionality to upgrade/rewrite an application - or - virtually upgrade an out-of-support application using a compiler-based solution that instantly lifts a legacy application to a current version of Java without source code changes.

Failing to Apply Patches Is Also Risky

Oracle advises Java users to apply all critical patches "without delay." This is often not practical for organizations regardless of the size and complexity of a business. The amount of time required to patch enterprise applications in large businesses and the resource constraints in smaller ones, coupled with the risk of breaking an application's functionality, are common barriers to applying binary patches on a timely basis.

Applying runtime virtual patches using the compiler of the Java Virtual Machine allows for functional equivalent patches to fix flawed code without downtime, source code changes or risk of breaking an application.

For more information about how the October 2018 Oracle Critical Patch Update may impact your applications and how we can help protect your applications with no downtime or source code changes, please contact Waratek.

About Waratek

Some of the world's leading companies use Waratek to patch, secure, and upgrade their mission-critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks and virtually upgrade out-of-support Java applications — all without time —consuming and expensive source code changes or unacceptable performance overhead.