Java Vulnerabilities

Want to know how many vulnerabilities your business is exposed to by having an old version of Java enabled in your browser?

Java Vulnerabilities
Oracle Patch Highest Version Affected RIA Vuln Count CVSS >= 7.0 Cumulative CVSS >= 7.0
July 2014 8u5 18 8
April 2014 8 35 21
January 2014 7u45 31 13
October 2013 7u40 47 23
June 2013 7u21 37 18
April 2013 7u17 40 28
February 2013 7u13 50 37
October 2012 7u7 28 15
June 2012 7u4 12 7
February 2012 7u2 11 7
October 2011 7u0 16 9
June 2011 6u25 16 12
February 2011 6u23 15 9
October 2010 6u21 27 19
March 2010 6u18 26 15

This information was extracted from Oracle's Critical Patch Updates, Security Alerts and Third Party Bulletin web site.

Using the "April 2013" row as an example, the above reads:
In April 2013 Oracle released a patch for versions of the JRE 7 update 17 and below.  The patch fixed 40 RIA* vulnerabilities, of which 28 were rated High risk (CVSS >= 7.0).  If your current version of the JRE is 7u17 then it's vulnerable to 82 High risk RIA vulnerabilities that would be mitigated with the latest patch.
*Where RIA means Rich Internet Application and refers to Java Applets and Web Start Applications.  Vulnerabilities in RIAs are commonly exploited by; phishing email attacks, drive-by-downloads, watering hole attacks, malvertising (i.e. attacks via advertisement networks), etc.

The vulnerability count corresponds to CVE IDs for known vulnerabilities, however that doesn't mean that each of the vulnerabilities has a known exploit.  If I had a good source of exploit information I would include those numbers as well.  You should assume a significant proportion of the vulnerabilities have known exploits.

No comments:

Post a Comment