Oracle has released its Critical Patch Update for July 2020 to include 443 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle Database product patches
This Critical Patch Update has addressed 27 vulnerabilities in Oracle Database products, 19 of them for Oracle Database Server. None of the higher risk Database vulnerabilities can be remotely exploited without authentication.
However, three of the vulnerabilities are rated High severity (along with affected components):
- CVE-2016-1000031: MapViewer (Apache Commons FileUpload)
- CVE-2020-2968: Java VM
- CVE-2016-9843 Core RDBMS (zlib).
In addition, Oracle patched 40 new security vulnerabilities in MySQL. Six of these issues can be remotely exploited without user credentials.
Most notable is a Critical patch for the “Ghostcat” vulnerability CVE-2020-1938 in Apache Tomcat module of MySQL Enterprise Monitor.
Readers may recall earlier this year when researchers discovered Ghostcat, a serious flaw in the Tomcat AJP protocol that could allow an attacker to read or include any files in the webapp directories of Tomcat.
This bug sports a CVSS score of 9.8.
Oracle also fixed a High risk vulnerability CVE-2020-1967 that impacts two different MySQL Connectors – Connector/C++ and Connector/ODBC (OpenSSL).
Oracle Java patches
Oracle also patched 11 new security vulnerabilities in Oracle Java SE. Attackers can remotely exploit all of these vulnerabilities, even without user credentials.
Three High severity Java SE vulnerabilities were fixed (along with affected components):
- CVE-2020-14664 (Java SE JavaFX)
- CVE-2020-14583 (Java SE, Java SE Embedded Libraries)
- CVE-2020-14593 (Java SE, Java SE Embedded 2D).
The CVSS scores range from 7.4 to 8.3.
Oracle Enterprise Manager patches
The Critical Patch Update also addresses 14 new security vulnerabilities in Oracle Enterprise Manager. Remote attackers could exploit 10 of these without user credentials.
One of the patches address a Critical vulnerability CVE-2020-9546 in the Enterprise Manager Install (jackson-databind) component of Enterprise Manager.
Another Critical patch addresses an older vulnerability CVE-2017-5645 that affects the Oracle Application Testing Suite.
A third Critical update fixes a vulnerability CVE-2020-1945 in the Networking (Apache Ant) component of Enterprise Manager Ops Center.
In addition, seven other High severity bugs were also addressed in the security Enterprise Manager updates.
Oracle Fusion Middleware patches
Also, Oracle has patched 52 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit a whopping 48 of these vulnerabilities without user authentication.
In all, nearly a dozen Critical vulnerabilities in multiple Fusion components were addressed to include: CVE-2017-5645, CVE-2019-17531, CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, CVE-2020-14687, CVE-2017-5645, CVE-2017-5645, CVE-2020-1945, and CVE-2020-1945.
All of the Critical vulnerabilities can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include counts of Critical severity vulnerabilities):
- Oracle Communications Applications (60 total, 17 critical)
- Oracle Construction and Engineering Suite (20 total, 4 critical)
- Oracle E-Business Suite (30 total, 4 critical)
- Oracle Financial Services Applications (38 total, 11 critical)
- Oracle GraalVM (4 total, 1 critical)
- Oracle Health Sciences Applications (4 total, 2 critical)
- Oracle Hospitality Applications (1 total, 1 critical)
- Oracle JD Edwards Products (6 total, 4 critical)
- Oracle Retail Applications (47 total, 25 critical)
- Oracle Siebel CRM (5 total, 3 critical)
- Oracle Supply Chain Products (22 total, 11 critical)
- Oracle Systems (7 total, 1 critical)
- Oracle Utilities Applications (1 total, 0 critical)
- Oracle Virtualization (25 total, 0 critical).
Overall, the 443 July patches is up from 297 patches Oracle released in the April 2019 CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle CPU for July 2020 advisory.