"Several major security flaws in Java-based applications surfaced during July."
As we've stressed on this blog in the past, it's generally wise to avoid using Java to any significant degree. Granted, its pervasiveness throughout the IT space means that avoiding it entirely isn't always possible – at least not without implementation of a browser based terminal emulator from the Inventu Corporation.
But if perhaps you're on the fence about adopting our solutions, the least we can do is keep you informed on some of the most critical Java vulnerabilities to be discovered in July 2019, sourced from the National Vulnerability Database managed by the National Institute of Standards and Technology. Take a look:
Less critical Java vulnerabilities
The month kicked off with the discovery of a flaw in several versions of JetBrains IntelliJ IDEA on July 3. According to NIST's NVD, the creation of JavaEE application servers in remote-run configurations was causing JetBrains to save an unauthorized record of the server credentials. While this bug scored a 9.8 critical-danger score on the most up-to-date Common Vulnerability Scoring System (and, oddly, just a "medium" 5.0 on CVSS v2.0, which is still used in certain contexts), it's already been fixed in three 2018 versions.
Almost two weeks later, NVD announced a vulnerability within Microsoft Office, in which the security of web pages making requests regarding Office documents wasn't being verified before allowing the request to go through. Theoretically, someone could exploit this to gain unapproved read and write access to Office, but Microsoft corrected the issue several days after the NVD report.
Major ONOS flaws
Some of the most alarming Java flaws found during July were with the Linux Foundation's ONOS operating system, a project that has excited many in the communications sector since its inception in 2014. On July 16, the NVD published data regarding a flaw in the Java foundations of ONOS 1.15.0 (and all previous iterations) capable of misrepresenting backquote characters within shell-command strings. This flaw in basic operations "allows unauthorized disclosure of information, unauthorized modification and disruption of service," according to the NVD. It hasn't yet been addressed by ONOS's makers, and scores a 9.8 on CVSS v3.0.
Just three days later, it became clear that ONOS's SDN Controller was also bedeviled by improper input validation that made network connectivity problematic. Although patches have been released, there's no way of knowing how many users have applied them according to instructions.
Middleware in grave danger
Oracle released several updates to its Fusion Middleware digital business suite earlier in the year to address various bugs, according to Security Boulevard. But the platform apparently had other issues. The NVD filed a July 23 report on a particularly critical one (9.8 on the CVSS v3.0 scale) affecting the WebLogic Server of Middleware. The bug could allow malicious online actors to infiltrate WebLogic via a T3 connection and take over the server component altogether.