Alert

Oracle April 2018 CPU: Most Java flaws can be remotely exploited

Customer Alert 20180418

Oracle Critical Patch Update April 2018 Released

Summary

This Critical Patch Update patches 15 Java-related vulnerabilities including one flaw identified by Waratek.  The number of Java SE patches in the Q2 CPU dropped by 1/3rd from 21 to 14, but the percentage of flaws that do not require authentication to be exploited remains the same as Q1  – 86%. The highest CVSS Score of the Java SE vulnerabilities is 8.3.

Other highlights of the release include:

  • New security fixes for the widely used Oracle Database Server only involve the Java Virtual Machine.  The vulnerability patched has a CVSS Base Score of 8.5 on a 10 point scale, but is not remotely exploitable.
  • Out of the Java SE 14 fixes, seven are fixes for Java deserialization vulnerabilities.
  • The Q2 CPU introduces a new built-in serialization filter for the JCE KeyStore. This new filter continues the tradition of built-in serialization filters of the JEP-290 Serialization Filtering mechanism that was first introduced in January 2017. The new built-in filter, named JCEKS Encrypted Key Serial Filter, restricts the expected types of the SecretKey to a set of predefined types. Note that because this new filter is enabled by default, Java SE users must profile their applications and make sure that the new built-in filter does not break their existing, legitimate functionality, before they deploy this new Java SE release in production. Users storing a SecretKey that does not serialize to the expected/default types must modify the filter to allow the key to be deserialized.
  • One half of the identified vulnerabilities affect the confidentiality of the Java Virtual Machine and almost 80% affect the availability of the JVM.

Two critical vulnerabilities affect only the newly released Java 10, but there are no critical patch updates for Java 9 – released in September 2017 – which has been replaced by the March 2018 release of Java 10.  Java 9 users must now upgrade to Java 10 to utilize public critical patch updates from Oracle.  Java 11 is due later this year.

Waratek Advice

Waratek Customers: Waratek will publish functional equivalent virtual patches based on the CPU for customers to apply without source code changes and without taking a vulnerable application out of production.

Non Waratek Customers: This CPU introduces a new built-in serialization filter for the JCE KeyStore. This new filter continues the tradition of built-in serialization filters of the JEP-290 Serialization Filtering mechanism that was first introduced in January 2017. The new built-in filter, named as JCEKS Encrypted Key Serial Filter, restricts the expected types of the SecretKey to a set of predefined types. Note that because this new filter is enabled by default. Therefore, Java SE users must profile their applications and make sure that the new built-in filter does not break their existing, legitimate functionality, before they deploy this new Java SE release in production. Users storing a SecretKey that does not serialize to the expected/default types must modify the filter to allow the key to be deserialized.

For more information please contact your Waratek representative or contact us by email to schedule a demonstration or free trial.

John Matthew Holt, Waratek’s Founder and Chief Technology Officer and Apostolos Giannakidis, Waratek’s Lead Security Architect contributed to this Alert. 

Related alerts

CUSTOMER ALERT – CVE-2022-22963: Remote Code Execution in Spring Cloud Function

CUSTOMER ALERT – CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Java Vulnerability CVE-2013-5838 patched in 2013 re-emerges

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.

Book a demo
Start tour