Oracle has released its Critical Patch Update for October 2020 to include 402 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle Database product patches
This Critical Patch Update has addressed 28 vulnerabilities in Oracle Database products, 18 of them for Oracle Database Server.
To add, 4 of the Oracle Database vulnerabilities are rated High severity and can be remotely exploited without authentication (listed below along with affected components):
- CVE-2019-12900: Core RDBMS (bzip2)
- CVE-2020-14735: Scheduler
- CVE-2020-14734: Oracle Text
- CVE-2020-13935: Workload Manager (Apache Tomcat).
In addition, Oracle patched 53 new security vulnerabilities in MySQL. Four of these issues can be remotely exploited without user credentials.
One notable patch includes a fix for Critical vulnerability CVE-2020-8174 in MySQL Cluster (rated CVSS score of 9.8).
The 3 High severity MySQL product fixes that can be exploited without credentials include (along with products affected):
- CVE-2020-14878: MySQL Server
- CVE-2020-13935: MySQL Enterprise Monitor
- CVE-2020-1967: MySQL Workbench.
Readers may also remember as part of July CPUs, Oracle patched a Critical “Ghostcat” vulnerability CVE-2020-1938 in Apache Tomcat module of MySQL Enterprise Monitor.
Oracle Java patches
Oracle also patched 8 new security vulnerabilities in Oracle Java SE. Attackers can remotely exploit all of these vulnerabilities, even without user credentials.
All of the Java issues are rated Medium to Low severity and carry a CVSS score between the range from 3.1 to 5.3.
Oracle Enterprise Manager patches
The Critical Patch Update also addresses 11 new security vulnerabilities in Oracle Enterprise Manager. Remote attackers could exploit 10 of these without user credentials.
Two of the patches address Critical vulnerabilities (CVE-2018-11058 and CVE-2019-17638) in Oracle Application Testing Suite product.
Another patch fixes a Critical vulnerability CVE-2019-13990 in Enterprise Manager Ops Center.
In addition, 3 other High severity bugs were also addressed in the security Enterprise Manager updates.
Oracle Fusion Middleware patches
Also, Oracle has patched 46 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit a 36 of these vulnerabilities without user authentication.
In all, 18 Critical vulnerabilities in multiple Fusion components were addressed to include: CVE-2017-5645, CVE-2017-9800, CVE-2018-11058, CVE-2018-11058, CVE-2018-8088, CVE-2019-10173, CVE-2019-10173, CVE-2019-17267, CVE-2019-17531, CVE-2019-2904, CVE-2019-5482, CVE-2020-10683, CVE-2020-10683, CVE-2020-14825, CVE-2020-14841, CVE-2020-14859, CVE-2020-14882, and CVE-2020-2555.
All of the Critical vulnerabilities can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include counts of Critical severity vulnerabilities):
- Oracle Communications Applications (9 total, 3 critical)
- Oracle Construction and Engineering Suite (9 total, 3 critical)
- Oracle E-Business Suite (27 total, 4 critical)
- Oracle Financial Services Applications (53 total, 10 critical)
- Oracle Food and Beverage Applications (4 total, 0 critical)
- Oracle GraalVM (1 total, 0 critical)
- Oracle Health Sciences Applications (4 total, 3 critical)
- Oracle Hospitality Applications (6 total, 1 critical)
- Oracle Hyperion (9 total, 1 critical)
- Oracle Insurance Applications (6 total, 1 critical)
- Oracle PeopleSoft (15 total, 1 critical)
- Oracle Policy Automation (6 total, 0 critical)
- Oracle Retail Applications (28 total, 8 critical)
- Oracle Siebel CRM (3 total, 1 critical)
- Oracle Supply Chain Products (4 total, 2 critical)
- Oracle Systems (8 total, 2 critical)
- Oracle Utilities Applications (5 total, 2 critical)
- Oracle Virtualization (7 total, 0 critical).
Overall, the 402 October patches is down from 443 patches Oracle released in the July 2020 CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle CPU for October 2020 advisory.