Oracle has released its Critical Patch Update for April 2021 to include 390 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle Database product patches
As part of the Critical Patch Update, Oracle has addressed ten vulnerabilities in Oracle Database products.
Four of the Oracle Database vulnerabilities are rated High severity to include two that can be remotely exploited without authentication (listed below along with affected components):
- CVE-2020-5360: Oracle Database – Enterprise Edition Security (Dell BSAFE Micro Edition Suite)
- CVE-2020-17527: Workload Manager (Apache Tomcat).
In addition, Oracle patched 49 new vulnerabilities in Oracle MySQL, ten of these vulnerabilities may be remotely exploitable without authentication.
One of the patches addressed a Critical vulnerability CVE-2020-17530 in MySQL Enterprise Monitor, with CVSS score of 9.8. An additional nine were rated High severity and impacted MySQL Cluster, MySQL Enterprise Monitor, MySQL Server and MySQL Workbench products.
Oracle Java patches
Oracle patched four vulnerabilities in Oracle Java SE, two of those are rated High severity as noted below:
- CVE-2021-23841: Oracle GraalVM Enterprise Edition
- CVE-2021-3450: Oracle GraalVM Enterprise Edition.
Each of these issues can be exploited remotely without user credentials.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed nine new security vulnerabilities in Oracle Enterprise Manager, eight of these can be exploited remotely without user credentials.
One of the patches addressed a Critical vulnerability CVE-2019-17195 in Enterprise Manager Base Platform, with CVSS score of 9.8.
An additional six flaws were rated High severity and affected Oracle Application Testing Suite, Enterprise Manager Base Platform, Enterprise Manager Ops Center, Enterprise Manager for Fusion Middleware and Enterprise Manager for Virtualization products.
Oracle Fusion Middleware patches
Also, Oracle has patched 45 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 36 of these vulnerabilities without user authentication.
In all, 7 Critical vulnerabilities in multiple Fusion components were addressed as summarized below:
- CVE-2020-9480: Oracle Business Intelligence Enterprise Edition
- CVE-2020-10683: Oracle Fusion Middleware
- CVE-2021-2302: Oracle Platform Security for Java
- CVE-2020-11612: Oracle WebCenter Portal
- CVE-2021-2136: Oracle WebLogic Server
- CVE-2021-2135: Oracle WebLogic Server
- CVE-2019-17638: FMW Platform.
All of these issues can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include total counts and Critical severity vulnerabilities) in the CPU for April 2021:
- Oracle Communications Applications (13 total, 4 critical)
- Oracle Communications (22 total, 1 critical)
- Oracle Construction and Engineering Suite (8 total, 1 critical)
- Oracle E-Business Suite (70 total, 2 critical)
- Oracle Financial Services Applications (15 total, 4 critical)
- Oracle Food and Beverage Applications (2 total, 0 critical)
- Oracle GraalVM (2 total, 0 critical)
- Oracle Health Sciences Applications (3 total, 1 critical)
- Oracle Hospitality Applications (6 total, 2 critical)
- Oracle Hyperion (2 total, 1 critical)
- Oracle iLearning (1 total, 0 critical)
- Oracle Insurance Applications (1 total, 0 critical)
- Oracle JD Edwards (10 total, 1 critical)
- Oracle PeopleSoft (18 total, 0 critical)
- Oracle Policy Automation (0 total, 0 critical)
- Oracle Retail Applications (35 total, 2 critical)
- Oracle Siebel CRM (8 total, 0 critical)
- Oracle Storage Gateway (6 total, 5 critical)
- Oracle Supply Chain Products (5 total, 2 critical)
- Oracle Support Tools (1 total, 0 critical)
- Oracle Systems (5 total, 1 critical)
- Oracle Utilities Applications (5 total, 2 critical)
- Oracle Virtualization (24 total, 3 critical).
Overall, the 390 April patches are up from the 329 patches released in the January 2021 CPU.