News

Oracle's Latest CPU Patches 3-Year-Old Deserialization Flaw

• By John K. Waters
• April 24, 2019

Oracle's second quarterly Critical Patch Update (CPU) for 2019 includes 296 Java-related patches, which is a bit more than were included in the first quarter, but fewer than past quarters.

All of the five Java SE vulnerabilities identified in this CPU are remotely exploitable, and at least one is probably exploitable without the need for authentication. Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. That latter vulnerability earned a CVSS score of 9. This vulnerability is considered critical, though it affects only Java 8 deployments on Windows.

This CPU patches flaws in Java SE versions 7u211, 8u202, 11.0.2 and 12. Nineteen Oracle products across the software stack were patched against the three-year-old CVE-2016-1000031 vulnerability, which is a Java deserialization vulnerability caused by the Apache Commons FileUpload dependency.

Java object serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data are received. It can also be used to reconstruct an object graph from a stream.

A total of 19 Oracle products are affected by CVE-2016-1000031, including the Oracle Banking Platform, Oracle API Gateway, Oracle WebCenter Portal (Fusion), Primavera P6 Enterprise and Oracle Siebel CRM, among others.

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously-reported security issues.

Oracle typically recommends strongly that its customers apply the security fixes in the latest CPU as soon as possible. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warns on its Web site. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

Oracle's CPUs are issued in January, April, July and October on the Tuesday closest to the 17th of the month. The next CPU is scheduled for July 16.