The Dublin, Ireland and Atlanta-based Waratek revealed security threats still exist despite Oracle's latest Critical Patch Update. The CPU provided fixes for the Meltdown and Spectre chip flaws and Java vulnerabilities.
The January 2018 Oracle Critical Patch Update contained fixes for 237 vulnerabilities across hundreds of Oracle products, including the company's widely used Oracle Database Server and Java Standard Edition.
In its guidance, Waratek, the virtualization-based application security company, indicated the CPU included:
- Fixes for the Java Virtual Machine and four other vulnerable components within the Oracle Database Server, the most severe of which carries a Common Vulnerability Scoring System base score of 9.1 out of 10; three flaws are exploitable remotely without credentials.
- New security fixes for 21 vulnerabilities in multiple versions of Java SE, 18 of which are remotely exploitable without authentication. The most severe of the Java SE vulnerabilities has a CVSS base score of 8.3. The CPU included fixes for flaws in Java SE versions 6 through 9.
- Two deserialization vulnerabilities identified in the Java platform by Waratek contain patched in the January 2018 CPU.
- The number of vulnerabilities patched in the Java platform have doubled since January 2016.
What Waratek discovered is highly technical to many of the corporations and industries using Oracle products but not to cybercriminals looking to exploit any weakness.
"The velocity and volume of Java software flaws continues to trend in the wrong direction," John Matthew Holt, founder and chief technology officer of Waratek said. "One research report showed that 86% of the most severe patches require 30 days or more to apply, while another concludes that the average time to apply a patch is 90 days or longer. In either event, that is an unacceptably long period of time given that attacks often commence within hours of the announcement of a new vulnerability."
He added, "The January 2018 CPU is released into an environment where virtually every enterprise is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be routinely applied."
Waratek indicated while there is some good news in the January CPU, the number of overall bugs patched in the update is down from the high of July 2017, the number of Java flaws found and fixed doubled quarter over quarter since January 2016. Equally troubling is that the number of Java SE flaws remotely exploitable without credentials remains in the double digits after years of single digit risk.
Java deserialization vulnerabilities also continue to be a key component of the January 2018 CPU. Waratek researched the Java Runtime Environment codebase and identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication.
Waratek explained it is increasingly easy to apply virtual patches that instantly protect vulnerable applications without requiring downtime, code changes or tuning. Purpose-built lightweight plugin agents exist that can shorten the time to apply Java and .NET virtual patches that are the functional equivalent of the physical binary. This allows app security and development teams to better prioritize which apps require a physical patch without the risk of breaking the app or suffering a breach while waiting to deploy the necessary code changes.
Waratek recommended its customers and non-customers apply the virtual patches as quickly as possible as more than 85% of the common vulnerabilities and exposures affecting Java users addressed in the January 2018 CPU are remotely exploitable without credentials.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
