The Oracle January 2019 Critical Patch Update (CPU) contains 284 new security vulnerabilities across hundreds of Oracle products, including the company’s widely used Oracle Database Server, Weblogic Server and Java SE. This is a decline in the number of fixed issues from October 2018 CPU release but an almost 20% increase from this same time last year.
Highlights from the CPU release include:
- There are only five new security fixes for Oracle Java SE but only four affect the JRE.
- There are no high or critical vulnerabilities fixed in Oracle Java SE. The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 6.1.
- This is the smallest Java SE CPU in the history of Java SE in Oracle.
- There are 9 security fixes that affect the Weblogic Server, but only one of them is critical and one is high severity.
- Half of the fixes of Java SE impact the availability of the JRE and the other half affect the confidentiality of the JRE.
- All of the fixed vulnerabilities are remotely exploitable without any authentication.
- TLS anon (anonymous) and NULL cipher suites have been disabled by default, which could cause functional problems to apps that depend on these cipher suites.
Advice:
Waratek Patch and Waratek Enterprise customers will receive runtime virtual patches that address the Q1 CVEs under their agreements. Virtual Patches can be deployed with zero downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration. Contact your Waratek representative for details.
Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.
If you are using TLS anon and NULL cipher suites careful attention should be paid to activating these suites as this release has them disabled by default. To enable back these cipher suites users must modify the jdk.tls.disabledAlgorithms security property.
Severities are lower, but application compatibility risk still looms
The first Oracle CPU of 2019 contains fixes that disable the TLS anon (anonymous) and NULL cipher suites by default. While few apps would want to enable these ciphers due to the known security weaknesses, releasing functional changes as part of the binary CPU is a major contributor to prolonged patching cycles. The resulting plague of unpatched server-side applications is is especially prevalent in enterprise organizations where millions of applications remain vulnerable to known, unmitigated threats.
Java 8 get last free update
Free public updates for Java 8 officially ended with the January release, but vendors like IBM and Amazon remain steadfast in their commitment to support the Java development community. A great guide to all the licensing changes can be found here
About Waratek
Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.