Waratek Issues Technical Guidance on Oracle January 2018 CPU and to Java SE security
More than a quarter (28.5%) of the Java flaws in the January CPU opened companies to deserialization attacks vs. 10% last year
DUBLIN and ATLANTA, Jan. 18, 2018 /PRNewswire/ -- Waratek, the virtualization-based application security company, has issued technical guidance on Oracle's latest Critical Patch Update (CPU) for January 2018. This follows initial commentary and analysis by Waratek when the CPU was first issued on January 16, 2018.
The first Oracle Critical Patch Update of 2018 contains fixes for 21 new vulnerabilities in the Java SE platform. 28.5 percent of them are deserialization-related flaws. As part of Waratek's security research and analysis, two new deserialization vulnerabilities were identified in the Java platform that have been patched in the January 2018 CPU.
Analysis
In 2017 Oracle fixed a total of 79 vulnerabilities in the Java SE platform. More than 10% of these vulnerabilities were related to Serialization and RMI components.
Because of the growing risk of serialization issues in the JVM, Oracle introduced the JEP-290 Serialization Filtering mechanism on January 2017 in an attempt to mitigate deserialization vulnerabilities. The Serialization Filtering mechanism provides look-ahead capabilities in the stream that allows the filtering of allowed classes as well as the addition of specific restrictions and limits to the deserialized objects.
Depending on the nature of the serialization vulnerability, Oracle may either use the Serialization Filtering mechanism to patch the issue or fix the issue by adding hardcoded restrictions in the vulnerable components. For example, the October 2017 CPU contains four vulnerabilities related to serialization and it uses Serialization Filtering to patch two of them. The other two were patched using custom, hardcoded fixes.
Action Items
Waratek customers should apply the virtual patches provided by Waratek to receive immediate protection without restarting their applications. Since January 2016, Waratek has protected customers from 116 recently discovered Java SE vulnerabilities and Zero Day attacks addressed in Oracle CPUs and other vendor patch updates using virtual patches and virtual Java upgrades. These features eliminate the need to delay applying patches and routinely upgrading the Java platform.
Non-Waratek customers are highly recommended to apply the appropriate binary CPU as quickly as possible.
Resources:
- Vulnerability Research Advisory: Waratek contributes to the Oracle January 2018 CPU and to Java SE security
About Waratek
Waratek is a pioneer in the next generation of application security solutions. Using patented virtualization technology, Waratek makes it easy for security teams to instantly patch known flaws, virtually upgrade out-of-support applications, and protect 100% of their application code – all without time consuming and expensive code changes or unacceptable performance overhead.
Waratek is one of CSO Online's Best Security Software solutions of 2017, a winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions.
Waratek is based in Dublin, Ireland and Atlanta, Georgia. For more information visit https://www.waratek.com/
Media Contact:
Mike Gallo for Waratek
Lumina PR
212-239-8594
[email protected]
SOURCE Waratek
Related Links
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article