By John K. Waters | 07/21/2016
Oracle Corp.’s latest Critical Patch Update (CPU), issued this week, fixed a record 276 vulnerabilities in a range of the company’s products, including 13 in Java SE, some of which received high-severity scores. The number of fixes in this CPU beat the previous record of 248 announced in January.
More than half of the Java SE vulnerabilities in this CPU are remotely exploitable over a network and received high vulnerability ratings on the Common Vulnerability Scoring Systems (CVSS). Oracle uses the CVSS to rate the ease of exploitation and severity of the security holes it finds in its products. Each vulnerability is issued a unique CVE number.
Two of the Java vulnerabilities (CVE-2016-3587 and CVE-2016-3606) earned a CVSS score of 9.6 (the highest is 10.0), and both allow remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot VM. John Matthew Holt, founder and CTO of Dublin-based Java security vendor Waratek, pointed out that these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the “invokedynamic” feature that enables dynamic code execution and scripting. Holt also noted that the less severe CVE-2016-3550 (CVSS score of 4.3) also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8. He advised owners of Java SE 6 applications to prioritize patching with this CPU, because this fix applies to the core HotSpot JVM software.
