Oracle Java SE Multiple Vulnerabilities

Tenable plugin 242293 rolls up the July 15, 2025 Oracle Java CPU and marks any installed Oracle Java matching vulnerable trains as affected. The notable issues include CVE-2025-50059 (Networking), CVE-2025-30749 and CVE-2025-50106 (2D), CVE-2025-30754 (JSSE), and several JavaFX/libxml2 issues that hit 8u451-b50; Oracle lists affected Oracle Java SE versions as 8u451 / 8u451-perf, 11.0.27, 17.0.15, 21.0.7, and 24.0.1, with fixes in 8u461, 11.0.28, 17.0.16, 21.0.8, and 24.0.2. The catch is the important one: Oracle repeatedly states the highest-impact bugs apply to Java deployments that load untrusted code in sandboxed Java Web Start or applet-style client contexts, and *do not apply* to typical server deployments that run only trusted code.

Tenable's CRITICAL label overstates reality for a modern enterprise fleet because it scores the bundle by worst-case technical impact, not by how often the full attack path exists in 2025 production. If you still run Oracle-dependent rich clients, Web Start, kiosk apps, trading/SCADA fat clients, or niche desktop middleware, this is real and worth prioritizing. If your fleet is mostly server-side JVMs or internal apps running trusted code only, the practical exposure collapses hard, so this is a HIGH patch-management item overall rather than a stop-everything critical.

Why this verdict

• Vendor label is inflated by worst-case math: Tenable marks the plugin CRITICAL, but Oracle's lead CNA score for CVE-2025-50059 is 8.6 HIGH, not 9.8+, and several included issues sit lower.
• Primary friction is attacker reachability: the most severe entries require sandboxed untrusted-code Java client contexts, which implies legacy Web Start/applet-style exposure rather than generic server-side JVMs.
• Population narrows hard in real fleets: most enterprise Java today runs trusted server code, and Oracle explicitly says those server deployments are out of scope for the headline client-side conditions.
• No KEV, no solid mass exploitation signal: I found no CISA KEV listing and no strong evidence of broad in-the-wild abuse driving emergency treatment.
• Still not a shrug: affected versions span every major LTS train, and on the subset of legacy thick clients that still ingest attacker-controlled content, the impact can be takeover or full data exposure.

Why not higher?

This is not a classic unauthenticated edge-service RCE that an internet scanner can hit across your estate. The attack chain usually assumes either legacy Java client behavior, untrusted-code execution, or an attacker-controlled API/data path, all of which materially reduce exposed population.

Why not lower?

I am not pushing this to MEDIUM because the vulnerable version coverage is broad and the blast radius on the exposed subset is real. If your environment still has Oracle-dependent rich clients, kiosks, OT consoles, or desktop middleware using these runtimes, compromise is not theoretical.

1. Inventory Oracle Java and GraalVM now — Use asset management, EDR software inventory, and package queries to separate servers running trusted code from legacy rich clients running untrusted or externally fed content. For a HIGH verdict, complete this scoping and tagging within 30 days so patching hits the right population instead of boiling the ocean.
2. Isolate legacy Java client workflows — Where Java Web Start, OpenWebStart, kiosk apps, or vendor fat clients still exist, move them behind tighter egress filtering and dedicated user groups. Apply this control within 30 days because those client patterns are the practical exposure amplifier here.
3. Block untrusted JNLP/JAR delivery paths — Use email gateway controls, web filtering, browser download restrictions, and application allowlisting to cut off obvious delivery channels for malicious Java content. Deploy within 30 days as a compensating layer for endpoints that cannot be patched immediately.
4. Enforce least privilege on Java clients — Make sure affected desktops do not run as local admin and that application service accounts have minimal rights. This reduces the value of runtime takeover and should be enforced within 30 days for the exposed client subset.
5. Hunt for dormant Java installs — Remove unused Oracle Java runtimes from endpoints and golden images, especially where the software was installed years ago for one vendor app and never revisited. For a HIGH item, drive this cleanup campaign within 30 days for high-risk user groups and as part of normal remediation for the rest.

Run this on the target host or through your EDR/live-response tooling. Invoke it with python3 check_java_july_2025_cpu.py or point it at a specific binary with python3 check_java_july_2025_cpu.py --java /path/to/java; no admin rights are required unless your endpoint controls block process execution.

#!/usr/bin/env python3
# check_java_july_2025_cpu.py
# Detects likely exposure to Oracle Java SE July 2025 CPU issues by version family.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import argparse
import os
import re
import shutil
import subprocess
import sys
from typing import Optional, Tuple

AFFECTED = {
    '8': ('8u451', '8u461'),
    '11': ('11.0.27', '11.0.28'),
    '17': ('17.0.15', '17.0.16'),
    '21': ('21.0.7', '21.0.8'),
    '24': ('24.0.1', '24.0.2'),
}


def run_java(java_bin: str) -> Tuple[int, str]:
    try:
        proc = subprocess.run([java_bin, '-version'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
        out = (proc.stdout or '') + (proc.stderr or '')
        return proc.returncode, out.strip()
    except Exception as e:
        return 127, str(e)


def find_java(explicit: Optional[str]) -> Optional[str]:
    candidates = []
    if explicit:
        candidates.append(explicit)
    env_java_home = os.environ.get('JAVA_HOME')
    if env_java_home:
        candidates.append(os.path.join(env_java_home, 'bin', 'java'))
        candidates.append(os.path.join(env_java_home, 'bin', 'java.exe'))
    path_java = shutil.which('java')
    if path_java:
        candidates.append(path_java)
    common = [
        '/usr/bin/java',
        '/usr/local/bin/java',
        r'C:\Program Files\Java\jdk-17\bin\java.exe',
        r'C:\Program Files\Java\jre-8\bin\java.exe',
    ]
    candidates.extend(common)

    seen = set()
    for c in candidates:
        if not c or c in seen:
            continue
        seen.add(c)
        if os.path.exists(c) or shutil.which(c):
            return c
    return None


def parse_version(output: str) -> Optional[str]:
    # Examples:
    # java version "1.8.0_451"
    # openjdk version "17.0.15" 2025-04-15
    # java version "21.0.7" 2025-04-15 LTS
    m = re.search(r'version\s+"([^"]+)"', output)
    if m:
        return m.group(1)
    m = re.search(r'openjdk\s+([0-9][^\s]+)', output, re.IGNORECASE)
    if m:
        return m.group(1)
    return None


def norm(ver: str) -> Optional[Tuple[str, Tuple[int, ...], str]]:
    if ver.startswith('1.8.0_'):
        try:
            upd = int(ver.split('_', 1)[1].split('-')[0])
            return ('8', (upd,), f'8u{upd}')
        except Exception:
            return None
    m = re.match(r'^(\d+)\.(\d+)\.(\d+)', ver)
    if m:
        major = m.group(1)
        nums = tuple(int(x) for x in m.groups())
        return (major, nums, '.'.join(m.groups()))
    if ver.isdigit():
        return (ver, (int(ver),), ver)
    return None


def compare_family(version: str) -> Tuple[str, str]:
    n = norm(version)
    if not n:
        return ('UNKNOWN', f'Could not normalize version string: {version}')
    major, nums, pretty = n
    if major not in AFFECTED:
        return ('PATCHED', f'Installed Java version {version} is outside the affected major families for this July 2025 Oracle CPU check')

    affected_floor, fixed = AFFECTED[major]

    # Java 8 family
    if major == '8':
        upd = nums[0]
        if upd <= 451:
            return ('VULNERABLE', f'Java {pretty} is in the affected 8u451 family or older; fixed version is {fixed}')
        return ('PATCHED', f'Java {pretty} is newer than the affected 8u451 family; fixed version baseline is {fixed}')

    # 11/17/21/24 families
    fixed_parts = tuple(int(x) for x in fixed.split('.'))
    if nums < fixed_parts:
        return ('VULNERABLE', f'Java {pretty} is older than fixed {fixed} in the same major family')
    return ('PATCHED', f'Java {pretty} meets or exceeds fixed {fixed} in the same major family')


def main() -> int:
    ap = argparse.ArgumentParser(description='Check likely exposure to Oracle Java SE July 2025 CPU issues')
    ap.add_argument('--java', help='Path to java binary')
    args = ap.parse_args()

    java_bin = find_java(args.java)
    if not java_bin:
        print('UNKNOWN - java binary not found in PATH, JAVA_HOME, or common locations')
        return 2

    rc, out = run_java(java_bin)
    if rc != 0 and not out:
        print(f'UNKNOWN - failed to execute {java_bin}')
        return 2

    version = parse_version(out)
    if not version:
        print('UNKNOWN - unable to parse java version output')
        print(out)
        return 2

    status, detail = compare_family(version)
    print(f'{status} - {detail}')
    print(f'JAVA_BIN={java_bin}')
    print(f'RAW_VERSION={version}')

    if status == 'VULNERABLE':
        return 1
    if status == 'PATCHED':
        return 0
    return 2


if __name__ == '__main__':
    sys.exit(main())

Sources

1. Tenable Nessus Plugin 242293
2. Oracle Critical Patch Update Advisory - July 2025
3. Oracle Text Form of July 2025 Risk Matrices
4. Oracle Java Management Release Note - July 2025 CPU fixed releases
5. NVD CVE-2025-50059
6. CISA Vulnerability Summary for Week of July 14, 2025
7. Debian LTS Advisory DLA-4248-1 openjdk-11
8. Debian LTS Advisory DLA-4275-1 openjdk-17