Alert

Q4 Oracle Critical Patch Update Preview

Total Java SE flaws are likely to drop for the year

The final Oracle Critical Patch Update (CPU) of 2018 may see a 20 percent increase in Java SE patches compared to Q3. However, the total number of Java SE patches for 2018 is set to drop by one-third compared to 2017’s record breaking number of bug-fixes, based on an analysis of a pre-release statement.

Java SE Patches

Other highlights of the pre-release include:

  • Eleven Java SE patches are expected in the Q4 update, addressing vulnerabilities in Java SE versions 6u201, 7u191, 8u182, and 11. The highest CVSS base score is expected to be nine on a ten-point scale.
  • Ninety-one percent (91%) of the Java SE vulnerabilities expected to be patched can be remotely exploited. The projected annual rate for remotely exploitable flaws is also 91 percent.
  • This Q4 Update is projected to contain three new security fixes for the Oracle Database Server, all of which may be remotely exploitable without authentication. These fixes apply to client-only installations and may include the Java Virtual Machine (JVM). The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8
  • The Q4 release could have as many as 302 total product patches across hundreds of products, a 10 percent drop from Q3 but the third highest quarterly total since January 2016.

Oracle will release the final version of the Q4 CPU mid-afternoon Pacific Daylight Time on Tuesday, 16 October. Waratek will follow shortly with a release of functional equivalent virtual patches for the Java SE and other Java related updates that require no downtime and no source code changes to fix the software flaws.

Related alerts

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.