By Eric P. Maurice-Oracle on Feb 14, 2012
Hello, this is Eric Maurice.
Oracle just released the February 2012 Critical Patch Update for Java SE. This Critical patch Update provides fixes for 14 new security vulnerabilities affecting the Java Runtime Environment and JavaFX. The most severe CVSS Base Score for these vulnerabilities is 10.0 denoting a potentially complete compromise of the targeted systems on the Windows platform (e.g. Windows XP). Out of the 14 new vulnerabilities fixed in this Critical Patch Update, 6 affect server deployments of Java SE , including the vulnerability in the Lightweight HTTP server. This means that they can be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
When computing CVSS Base Scores, Oracle assumes the worst scenario: in the instance of the Critical Patch Update for Java SE, we assume that a user running a Java applet or Java Web Start application has administrator privileges as is typical on the Windows XP platform. On other platforms, for example Solaris and Linux, users do not routinely operate with administrator privileges. On non-Windows platform, the corresponding CVSS scores for those vulnerabilities reported as 10.0 in the Risk Matrix, for the Confidentiality, Integrity, and Availability impacts are "Partial" (instead of the worst-scenario "Complete" reported in the risk matrix), thus lowering the CVSS Base Score for non-Windows platforms to 7.5.
While a small number of people have criticized Oracle for its strict application of the CVSS Standard, particularly as it relates to the difference between “Partial+” and “Complete,” there is a fundamental difference between vulnerabilities whose impact are limited to the affected application and those that result in a full compromise of the targeted system down to the operating system. In instances of full compromise down to the Operating System, the targeted systems can be maliciously repurposed (to serve malware for example), audit trails can be compromised, and in the case of a compromised server, the “chain of trust” that may exist between the affected server and other systems in the environment can be compromised. In other words, a full compromise down to the operating system pose a threat that can be significantly greater than that of a compromise limited to a layer above the operating system. In addition, forensic responses will be different (as the investigatory and evidentiary values of the logs will be different).
Hundreds of millions of lines of code in Oracle’s codebase are written in Java. Following the Sun acquisition, Oracle has added additional resources to focus on Java security, including multipliying development staff dedicated to Java security. In addition, the Java development team is able to leverage a toolset, including code scanning tools, that was not previously available to them. With these new resources available to them as a result of the Oracle acquisition, the Java development team is weeding out security bugs in Java, and is looking at ways to further improve the security posture provided by Java to its users.
For more information:
- Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml
- Home users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp
- The Advisory for the February 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html