The story here is that Oracle has synced up their Java patching with the rest of their patching cycle and, when it comes to vulnerabilities, Java always steals the show.
The CPU includes fixes for 127 vulnerabilities in Oracle products, but aside from Java, it’s mostly ho-hum, low impact stuff. There’s a CVSS 8.5 vulnerability in MySQL’s Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting.
The Java patches include 51 of the 127 addressed issues. Of the 51 issues, 21 are CVSS scores of 9 or higher, meaning they would allow an attacker to gain control of the system in the context of the running user with limited complexity to exploit.
The vast majority of these issues affect the Java browser plugin and users, first and foremost, are advised to keep up-to-date with patches. Secondly, users should take advantage of all the signing and execution restrictions offered by the latest plugin versions.
Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin. Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.