Hackers Exploit Vulnerabilities within Hours as Patches take 30 to 90 days to Complete
DUBLIN and ATLANTA – January 16, 2018 – Waratek, the virtualization-based application security company, has issued guidance on Oracle’s latest Critical Patch Update January 2018, which was released on January 16, 2018.
The Oracle Critical Patch Update January 2018 (CPU) contains 237 new security vulnerabilities across hundreds of Oracle products, including the company’s widely used Oracle Database Server and Java SE. The CPU includes:
- Fixes for the Java Virtual Machine and four other vulnerable components within the Oracle Database Server, the most severe of which carries a CVSS Base Score of 9.1 out of 10; three of the flaws may be exploited remotely without credentials.
- New security fixes for 21 vulnerabilities in multiple versions of Java SE, 18 of which are remotely exploitable without authentication. The most severe of the vulnerabilities in Java SE has a CVSS Base Score of 8.3. The CPU includes fixes for flaws in Java SE versions 6 through 9.
- Two deserialization vulnerabilities identified in the Java platform by Waratek are patched in the January 2018 CPU.
- The number of vulnerabilities patched in the Java platform have doubled since January 2016.
“The velocity and volume of Java software flaws continues to trend in the wrong direction,” said John Matthew Holt, Founder and Chief Technology Officer of Waratek. “One research report shows that 86% of the most severe patches require 30 days or more to apply, while another concludes that the average time to apply a patch is 90 days or longer. In either event, that is an unacceptably long period of time given that attacks often commence within hours of the announcement of a new vulnerability.”
“The January 2018 CPU is released into an environment where virtually every enterprise is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be routinely applied,” added Holt.
Analysis
While there is some good news in the January CPU – the number of overall bugs patched in the Update is down from the high of July 2017 – the number of Java flaws being found and fixed is flat quarter-over-quarter and has risen 2X since January 2016. Equally troubling is the number of Java SE flaws that can be remotely exploited without credentials remains in the double digits after years of single digit risk.
Java deserialization vulnerabilities also continue to be a key component of the January 2018 CPU. Waratek researched the JRE codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication.
Recommended Actions
It is increasingly easy to apply virtual patches that instantly protect vulnerable applications without requiring downtime, code changes or tuning. Purpose-built lightweight plugin agents exist that can shorten the time to apply Java and .NET virtual patches that are the functional equivalent of the physical binary. This allows App Sec and Dev teams to better prioritize which apps require a physical patch without the risk of breaking the app or being breached while waiting to deploy the necessary code changes.
Waratek customers should apply the virtual patches provided by Waratek to receive immediate protection without restarting their applications. This includes virtual patches for the two deserialization CVEs identified by Waratek and included by Oracle in the January 2018 CPU.
Non-customers should apply the appropriate binary CPU as quickly as possible as more than 85% of the CVEs impacting Java users addressed in the January 2018 CPU can be remotely exploited without credentials. Applying the physical CPU from Oracle requires binary changes which increases the risk of incompatibilities and unexpected functionality failures. Therefore, organizations are advised to apply the CPU in QA and UAT environments before deploying it into production.
Waratek actively protects against the 2017 OWASP Top Ten and other known and unknown attacks. Waratek’s Virtual Critical Patch Updates are the functional equivalent to the physical patches offered by Oracle and other Java Virtual Machine providers.
About Waratek
Waratek is a pioneer in the next generation of application security solutions. Using patented virtualization technology, Waratek makes it easy for security teams to instantly patch known flaws, virtually upgrade out-of-support applications, and protect 100% of their application code – all without time consuming and expensive code changes or unacceptable performance overhead.
Waratek is one of CSO Online’s Best Security Software solutions of 2017, a winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions.
Waratek is based in Dublin, Ireland and Atlanta, Georgia. For more information visit https://www.waratek.com/
Media Contact:
Mike Gallo for Waratek
Lumina PR
212-239-8594