Oracle has released its Critical Patch Update for October 2019 to include 219 vulnerability fixes across multiple products. The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have been successful in exploiting vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle Database patches
Oracle has fixed ten (10) vulnerabilities in Oracle Database Server. Attackers can remotely exploit two of these vulnerabilities without user credentials. One of those CVE-2019-2909 impacts Java VM and has a CVSS v3.0 base score 6.8, the highest of all the Oracle Database vulnerabilities.
The Critical Patch Update also contains one (1) new security patch for Oracle NoSQL Database. This critical vulnerability CVE-2018-14721 impacts the NoSQL (jackson-databind) component and is also remotely exploitable without authentication. This issue sports a CVSS base score of 10.0.
In addition, Oracle patched 34 new security vulnerabilities in MySQL. Nine of these can be remotely exploited without user credentials. The most critical vulnerability CVE-2019-8457 impacts MySQL Workbench and has a CVSS score of 9.8.
Oracle Enterprise Manager patches
This Critical Patch Update addresses seven (7) new security vulnerabilities in Oracle Enterprise Manager, five (5) of these can be remotely exploitable without user credentials.
One of the critical vulnerabilities CVE-2016-4000 impacts the Enterprise Manager Base Platform and has a CVSS base score of 9.8.
Oracle Java patches
This Critical Patch Update addresses 20 new security vulnerabilities in Oracle Java SE. All of these vulnerabilities can be remotely exploitable without user credentials.
Two of the highest rated vulnerabilities (CVE-2019-2949 and CVE-2019-2989) impact Oracle Java SE and are each rated CVSS score of 6.8.
Oracle Fusion Middleware patches
Also, Oracle has patched 37 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 31 of these vulnerabilities without user authentication.
Two of the critical vulnerabilities CVE-2019-2904 (Oracle JDeveloper and ADF) and CVE-2016-1000031 (Oracle Virtual Directory) have CVSS score of 9.8.
Additional Oracle product patches
Of additional note, Oracle also provided security fixes for the following products (with total and critical vulnerabilities patched for each):
- Oracle Construction and Engineering Suite (13 total, 4 critical)
- Oracle E-Business Suite (10 total)
- Oracle Financial Services Applications (7 total, 3 critical)
- Oracle Food and Beverage Applications (7 total, 1 critical)
- Oracle Health Sciences Applications (2 total)
- Oracle Hospitality Applications (3 total)
- Oracle Hyperion (3 total)
- Oracle GraalVM (3 total)
- Oracle JD Edwards Products (1 total, 1 critical)
- Oracle Knowledge (17 total)
- Oracle PeopleSoft Products (13 total, 2 critical)
- Oracle Policy Automation (4 total)
- Oracle Retail Applications (12 total, 2 critical)
- Oracle Siebel CRM (4 total)
- Oracle Sun Systems Products (12 total)
- Oracle Supply Chain Products (3 total, 1 critical)
- Oracle Support Tools (2 total)
- Oracle Systems (12 total, 1 critical)
- Oracle Virtualization (15 total).
The October 219 patches is down from 319 patches Oracle released in the July CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle CPU for October advisory.