AnsweredAssumed Answered

Oracle Java SE Critical Patch Updates - False Positive?

Question asked by framey on Aug 11, 2014
Latest reply on Dec 4, 2015 by mylestones

Oracle says that its Java critical patch updates (CPU) are cumulative in nature, therefore in theory if a server had not applied its Java CPUs for (for example) a year, it would only need to apply the latest CPU rather than all the previous ones in order.  However, in my organisation, the latest patches have been applied yet Qualys still shows all the *previous* vulnerabilities still exist and have not been remediated.

 

So I am trying to work out whether applying e.g. the July 2014 Oracle Java SE Critical Patch Update does actually roll up and fix all of the previous vulnerabilities as claimed.  If it does, this would suggest that Qualys is showing false positives.  Has anyone got any experience on this or can anyone advise on detection signature etc?  Thanks.

Outcomes