Hello, welcome to the Thursday, October 17th, 2019 edition of the Sandswit Stormsaurus, Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Oracle today released its quarterly critical patch update or short CPU with 219 different security patches.

Now the first thing I always look for here is Java.

Java actually well not all that important it seems like this around, there are a good number of vulnerabilities

being addressed, but the largest CBSS base score is 6.8. The only vulnerability with the

maximum score of 10.0 is 1 in Oracle's no SQL database. This is exploitable via HTTP and could lead, of course,

to a complete system compromise. Certainly take a look at this patch, but we have a number of

other vulnerabilities in the high 9s.

For example, in the Oracle Construction Engineering Risk Matrix product, there are 3 9.8 vulnerabilities.

Two of which are in Jackson Databind, which is the same issue that affected the NoSQL database.

The third one is an Apache Tomcat vulnerability that actually goes back to 2017.

And that's sadly always a little bit of a theme here that we have some critical vulnerabilities

that are essentially quite old and come from included

open source components. For example, there are still some log 4J issues that are being addressed,

also a problem with the Apache Commons. That's the file upload vulnerability that's also at least a year old, I think.

Now, many of the critical vulnerabilities in this update are related to this Jackson

data bind vulnerability.

So a little bit more about this.

This is actually part of the Jackson Project.

That's a JSON library for Java and this particular vulnerability is a deserilization issue.

We of course had many of them before and this library does, well, what's always hard to

...