Oracle has released its Critical Patch Update for January 2020 to include 334 vulnerability fixes across multiple products. The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have been successful in exploiting vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle Database patches
Oracle has fixed 12 vulnerabilities in Oracle Database Server. Attackers can remotely exploit three of these vulnerabilities without user credentials. One of the High severity vulnerabilities CVE-2020-2510 impacts Core RDMS.
Another High severity bug CVE-2019-10072 impacts Workload Manager (Apache Tomcat).
In addition, Oracle patched 19 new security vulnerabilities in MySQL. Six of these issues can be remotely exploited without user credentials.
Oracle Enterprise Manager patches
The Critical Patch Update also addresses 50 new security vulnerabilities in Oracle Enterprise Manager. Remote attackers could exploit 10 of these without user credentials.
Two of the critical vulnerabilities (CVE-2018-11058 and CVE-2019-5482) impact the Enterprise Manager Ops Center. Both of these have a CVSS base score of 9.8.
Two other vulnerabilities (CVE-2019-2904 and CVE-2016-4000) affect the Oracle Application Testing Suite. Each of these also have a CVSS score of 9.8.
Oracle Java patches
This Critical Patch Update addresses 12 new security vulnerabilities in Oracle Java SE. Attackers can remotely exploit every one of these vulnerabilities, even without user credentials.
One High severity vulnerability CVE-2020-2604 impacts the Serialization component of Java SE.
Oracle Fusion Middleware patches
Also, Oracle has patched 38 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 30 of these vulnerabilities without user authentication.
One of the Critical vulnerabilities CVE-2020-2555 impacts Oracle Coherence.
Two of the other Critical vulnerabilities (CVE-2020-2551 and CVE-2020-2546) affects Oracle WebLogic Server.
The January patch updates are up from 219 patches Oracle released in the October 2019 CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle CPU for January 2020 advisory.