This came across the security feed yesterday, and we wanted to make sure that everyone understood that this critical patch upgrade is something you should install…now. A CVSS base score of 10.0 is a big deal (you can read all about the CVSS here), but what you need to know from an application security perspective is that when you see an announcement that there is a CVSS 10 that has a known patch, you don’t respond with, “Yeah, I’ll put that one on my list.” or “Ok, we’ll get to it after lunch.” When you see a 10.0 on the CVSS, you drop what you are doing and you upgrade regardless of the consequences to your application.
What’s interesting about this Oracle patch is that Oracle’s current JDK download site isn’t yet setup to tell you why you should upgrade to 7u5. I just did the upgrade and the release notes still point back to 7u4. I had to do my own digging and find the vulnerability listed by US CERT/NVD here Vulnerability Summary for CVE-2012-0507. While this threat was from February, there’s not much information from Oracle about this particular patch. Here’s a quote from CVE-2012-0507:
“Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions.”
And, here’s the original story from IDG:
IDG News Service – (International) Oracle to issue 14 patches for Java SE. Oracle is planning to ship 14 patches related to Java SE June 12, including a number with the highest level of severity under the common vulnerability scoring system (CVSS) framework, according to a pre-release announcement on the company’s Web site. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said. The patch batch is aimed at security weaknesses in many products, including JDK and JRE 7 Update 4 and earlier; JDK and JRE 6 Update 32 and earlier; and JavaFX version 2.1 and earlier, according to the announcement. A dozen of the 14 fixes can be exploited by an attacker remotely, with no username or password required, Oracle said. A number of the weaknesses have a CVSS base score of 10.0, the highest possible, but Oracle did not provide further specifics.