Alert

Waratek Adds Protections Found in the Latest Oracle Java Security Update

Waratek has released a security rules update in coordination with the quarterly Critical Patch Update (CPU) for Java released by Oracle on Tuesday, July 20th. Waratek customers may immediately apply the patch to their Java applications without taking their apps out of production.  Virtual patching is especially effective as an interim step when immediate physical patching is not possible or practical.

This quarter’s Oracle CPU includes 13 important security updates for Java SE, more than half of which are remotely exploitable over a network with high-severity CVSS Scores between 7.0 and 10.0.  Click for full details.

Comments

“Customers really do need to apply these Java CPU patches as soon as possible,” advised Waratek CTO & Co-Founder John Matthew Holt. “Oracle’s Java Team has been making tremendous efforts over the last several years to rapidly respond to Java security issues.  The escalating necessity for advanced cybersecurity programs is driving the need for faster time-to-remediation for all types of security issues, and Java is no exception.”

In particular, CVE-2016-3587 and CVE-2016-3606 which both share a CVSS score of 9.6, apply to Java SE 7 and/or Java SE 8. This indicates that these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the “invokedynamic” feature that enables dynamic code execution and scripting.

CVE-2016-3550 is less severe with a CVSS score of 4.3, but also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8. Therefore, application owners of Java SE 6 applications should also prioritize patching with this CPU as this fix applies to the core HotSpot JVM software.

Several other internal HotSpot JVM vulnerabilities have also been patched in earlier quarters.  Application owners who did not patch in the previous quarters should now patch with this latest CPU for the combined benefit of all current HotSpot JVM patches in a single patch cycle.

Virtual Patching

By updating the Waratek rules engine to address these high risk vulnerabilities, customers using the company’s Runtime Application Self-Protection (RASP) solution are able to virtually patch their workloads to remediate the severe vulnerabilities included in the physical Oracle CPU.

Virtual patching does not require applications protected within a Waratek secure, virtual container to be taken out of production to get the benefits of vulnerability updates.

Traditional patching methods require applications to be shut down and the update applied before restarting the app – a time consuming and disruptive operation that often leads to organizations falling behind in fixing known vulnerabilities.

“It’s important that businesses apply these patches as soon as possible to help ensure they don’t fall victim to an attack. According to Verizon, 85% of successful exploits involve the Top 10 known vulnerabilities that have not been patched despite fixes being available from Oracle for months or years. Virtual patching allows large, medium, and small businesses to automate their CPUs – saving time and money that can be better spent on higher value activities – and mitigate the risks that come from delaying the upgrade to the latest security protections,” noted Holt.


About Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.  Waratek’s RASP solutions are highly accurate, easy to install, simple to operate, and do not slow application performance – providing protection against known and unknown vulnerabilities in current and legacy software.

Waratek has received ten industry awards, including the 2015 RSA Conference’s Innovation Sandbox Award. Waratek Ltd is based in Dublin, Ireland and serves EMEA. Waratek Inc, is based in Atlanta, Georgia and serves the Americas.  For information visit Waratek.com.

Waratek has released a security rules update in coordination with the quarterly Critical Patch Update (CPU) for Java released by Oracle on Tuesday, July 20th. Waratek customers may immediately apply the patch to their Java applications without taking their apps out of production.  Virtual patching is especially effective as an interim step when immediate physical patching is not possible or practical.

This quarter’s Oracle CPU includes 13 important security updates for Java SE, more than half of which are remotely exploitable over a network with high-severity CVSS Scores between 7.0 and 10.0.  Click for full details.

Comments

“Customers really do need to apply these Java CPU patches as soon as possible,” advised Waratek CTO & Co-Founder John Matthew Holt. “Oracle’s Java Team has been making tremendous efforts over the last several years to rapidly respond to Java security issues.  The escalating necessity for advanced cybersecurity programs is driving the need for faster time-to-remediation for all types of security issues, and Java is no exception.”

In particular, CVE-2016-3587 and CVE-2016-3606 which both share a CVSS score of 9.6, apply to Java SE 7 and/or Java SE 8. This indicates that these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the “invokedynamic” feature that enables dynamic code execution and scripting.

CVE-2016-3550 is less severe with a CVSS score of 4.3, but also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8. Therefore, application owners of Java SE 6 applications should also prioritize patching with this CPU as this fix applies to the core HotSpot JVM software.

Several other internal HotSpot JVM vulnerabilities have also been patched in earlier quarters.  Application owners who did not patch in the previous quarters should now patch with this latest CPU for the combined benefit of all current HotSpot JVM patches in a single patch cycle.

Virtual Patching

By updating the Waratek rules engine to address these high risk vulnerabilities, customers using the company’s Runtime Application Self-Protection (RASP) solution are able to virtually patch their workloads to remediate the severe vulnerabilities included in the physical Oracle CPU.

Virtual patching does not require applications protected within a Waratek secure, virtual container to be taken out of production to get the benefits of vulnerability updates.

Traditional patching methods require applications to be shut down and the update applied before restarting the app – a time consuming and disruptive operation that often leads to organizations falling behind in fixing known vulnerabilities.

“It’s important that businesses apply these patches as soon as possible to help ensure they don’t fall victim to an attack. According to Verizon, 85% of successful exploits involve the Top 10 known vulnerabilities that have not been patched despite fixes being available from Oracle for months or years. Virtual patching allows large, medium, and small businesses to automate their CPUs – saving time and money that can be better spent on higher value activities – and mitigate the risks that come from delaying the upgrade to the latest security protections,” noted Holt.


About Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.  Waratek’s RASP solutions are highly accurate, easy to install, simple to operate, and do not slow application performance – providing protection against known and unknown vulnerabilities in current and legacy software.

Waratek has received ten industry awards, including the 2015 RSA Conference’s Innovation Sandbox Award. Waratek Ltd is based in Dublin, Ireland and serves EMEA. Waratek Inc, is based in Atlanta, Georgia and serves the Americas.  For information visit Waratek.com.

Related alerts

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.