High Threat Security Alert (A18-07-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2018)
18 July 2018
Last update on:
25 July 2018
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 8 vulnerabilities identified in Java affecting multiple sub-components including Java DB, Deployment, JavaFX, Windows DLL, Security, JSSE, Libraries and Concurrency. All of them could be remotely exploited without authentication.
For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, TLS, SSH, T3, Jolt, Local Logon, SSL, Log4j, memcached, RPC, ISCSI, IPMI, DHCP and MySQL protocol over a network.
There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.
As proof-of-concept exploit code against CVE-2018-2893 were reported to be publicly disclosed, the risk of cyber attacks on the vulnerable Oracle WebLogic Server will be elevated. For detailed information of the available patches, please refer to the corresponding security advisory at http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixFMW
Oracle Java SE
Oracle Linux and Virtualization
Oracle MySQL Product Suite
Oracle and Sun Systems Products Suite
Fusion Applications and Middleware
Oracle Support Tools
A complete list of the affected products can be found at: