Oracle has released its Critical Patch Update for April 2020 to include 297 vulnerability fixes across multiple products. The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle Database patches
This Critical Patch Update has addressed 6 vulnerabilities in Oracle Database Server. Although none of the Database vulnerabilities can be remotely exploited, one vulnerability CVE-2019-2517 impacts Core RDBMS component and is rated Critical.
Two high severity vulnerabilities (CVE-2019-2516 and CVE-2019-2619) affect the Oracle Database Portable Clusterware component.
In addition, Oracle patched 45 new security vulnerabilities in MySQL. Four of these issues can be remotely exploited without user credentials.
The only high severity MySQL issue CVE-2019-2632 affects the MySQL Server Pluggable Auth component.
Oracle Java patches
Oracle also patched 5 new security vulnerabilities in Oracle Java SE. Attackers can remotely exploit all of these vulnerabilities, even without user credentials.
One Critical severity vulnerability CVE-2019-2699 impacts the Windows DLL component of Java SE.
In addition, two high severity Java SE 2D vulnerabilities (CVE-2019-2697 and CVE-2019-2698) were also patched.
Oracle Enterprise Manager patches
The Critical Patch Update also addresses 11 new security vulnerabilities in Oracle Enterprise Manager. Remote attackers could exploit 7 of these without user credentials.
One of the patches address a critical vulnerability CVE-2016-1000031 in Networking (Apache Commons FileUpload) component of Ops Center. Another patch fixes a critical vulnerability CVE-2016-4000 in Configuration Manager — Collector of Config and Diag (Jython) component.
Two high severity vulnerabilities impact Enterprise Manager Install CVE-2018-1258 and Networking CVE-2018-1258 components, both part of the Spring Framework.
Oracle Fusion Middleware patches
Also, Oracle has patched 53 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 42 of these vulnerabilities without user authentication.
In all, 13 Critical vulnerabilities in multiple Fusion components were addressed to include: CVE-2020-2950, CVE-2016-1000031, CVE-2020-2915, CVE-2019-13990, CVE-2019-16943, CVE-2016-10328, CVE-2019-16943, CVE-2019-16943, CVE-2019-17571, CVE-2019-16943, CVE-2020-2801, CVE-2020-2883 and CVE-2020-2884.
Update as of April 30, 2020: Oracle issued a new warning that there are reports of public exploits of Weblogic vulnerability CVE-2020-2883.
All of the Critical vulnerabilities can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (that have one or more Critical vulnerabilities):
- Oracle Communications Applications (26 total, 9 critical)
- Oracle Construction and Engineering Suite (8 total, 4 critical)
- Oracle E-Business Suite (35 total, 2 critical)
- Oracle Financial Services Applications (14 total, 2 critical)
- Oracle Health Sciences Applications (2 total, 1 critical)
- Oracle Hospitality Applications (5 total, 2 critical)
- Oracle JD Edwards Products (8 total, 1 critical)
- Oracle Retail Applications (24 total, 6 critical)
- Oracle Siebel CRM (8 total, 4 critical)
- Oracle Supply Chain Products (5 total, 2 critical)
- Oracle Utilities Applications (6 total, 3 critical)
- Oracle Virtualization (15 total, 1 critical).
Overall, the 297 April patches are down from 334 patches Oracle released in the January 2019 CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle CPU for April 2020 advisory.