Security Alert

Original date: 18.07.2018
Overall risk classification: MEDIUM

Overview

Oracle has published an advisory and updates regarding many of its software products. The advisory also contains several severe vulnerabilities in the Java ecosystem, some of which allowing remote attackers to execute arbitrary code on Java systems [1]. If your project employs Java, it is strongly advised to review whether the system is affected from any of the new vulnerabilities and to install the new patches as soon as possible. Additionally, revise whether your project runs any other Oracle products that have been updated, for instance MySQL.

Systems Affected

Among other versions and Oracle products, the current Java SE versions 6u191, 7u181, 8u172 and 10.0.1 are affected.

Threat

Risk: HIGH
Several vulnerabilities allow for remote code execution. Thus, an attacker might be able to take over the server over the internet.
Exploitability: MEDIUM
Given the number of vulnerabilities published in the advisory and multitude of different Java installations found in practice, every project itself has to inspect whether the employed Java installation is vulnerable or whether software products based on it can be attacked.
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): MEDIUM

Mitigation

Update to the latest versions.

Author

Björn Kirschner

References

[1] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA