The number of patches in the quarterly Oracle Critical Patch Update (CPU) for July 2019 is 316 which is a 6% increase compared to the April 2019 CPU.
Of the 10 vulnerabilities that affect Java SE, 9 may be remotely exploitable without the need for authentication.
Other highlights of the CPU release include:
- There are a total of 10 new fixes in Java SE, with the highest CVSS score being 6.8.
- The CPU for Java SE release patches flaws in Java SE versions 7u221, 8u212, 11.0.3, and 12.0.1
- CVE-2019-2821 and CVE-2019-2818 affect only Java 11 and 12, while CVE-2019-2842 only affects Java 8
CVE-2019-2766 only affects Java SE deployments on Windows
- There are two new Java deserialization vulnerabilities that affect only the availability of the system (CVE-2019-2769 and CVE-2019-2762)
- 60% of the fixed vulnerabilities of this quarter’s Java CPU affecting system confidentiality, effectively allowing malicious users to gain access to certain sensitive information
- There are no Critical or High vulnerabilities fixed in Java SE. 60% of the fixes are medium and the rest 40% are low severity
Java SE users that depend on the Java Access Bridge on Windows should be very cautious deploying this CPU because it introduces a big risk of breaking normal Java Access Bridge functionality
- The 3-year-old, vulnerability CVE-2016-1000031, that was fixed in 19 different Oracle products in last quarter’s update was also fixed in 15 more Oracle products in this quarter’s update. Products affected include the Oracle Communications, Oracle FLEXCUBE, Oracle WebCenter Sites and many more.
- This quarter’s Java SE update comes with an improved implementation of the Elliptic-curve cryptography (ECC) which also offers greater resiliency against side-channel attacks CVE-2019-2745. However, note that the new ECC implementation is disabled by default and the system property jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.
- The out-of-band critical patches for CVE-2019-2725 and CVE-2019-2729 that were released last April and June are also included in this Critical Patch Update.
- There is a new critical Java deserialization vulnerability fix in the Oracle WebLogic Server that can allow remote code execution on vulnerable systems (CVE-2019-2856).
‘Users should install the CPU as soon as possible because it exposes yet another critical deserialization vulnerability for WebLogic customers. While Oracle issued hot fixes for CVE-2019-2725 and CVE-2019-2729, it’s clear that insecure deserialization continues to be a risk that will likely be an ongoing challenge due to the design of the product.’
Users that wish to learn more about deserialization risks are encouraged to read Waratek’s Deserialization Problem Whitepaper for technical guidance on these vulnerabilities and actions that can be taken to reduce their exposure.