Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle’s previous all-time high for number of patches issued, in July 2019, which overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement that some of the vulnerabilities affect multiple products. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible,” it added.
“Some of these vulnerabilities were remotely exploitable, not requiring any login data; therefore posing an extremely high risk of exposure,” said Boris Cipot, senior security engineer at Synopsys, speaking to Threatpost. “Additionally, there were database, system-level, Java and virtualization patches within the scope of this update. These are all critical elements within a company’s infrastructure, and for this reason the update should be considered mandatory. At the same time, organizations need to take into account the impact that this update could have on their systems, scheduling downtime accordingly.”
The updates include fixes for Oracle’s most widely deployed products, including the Oracle Database Server (12 patches total, three remotely exploitable without authentication; Oracle Communications Applications (25 patches, 23 remotely exploitable without authentication, six critical); Oracle Enterprise Manager (50 patches, 10 remotely exploitable without authentication, four critical); Oracle Fusion Middleware (38 patches, 30 remotely exploitable without authentication, three critical); 19 new security patches for Oracle MySQL (19 patches, six remotely exploitable without authentication); and the Oracle E-Business Suite (23 patches, 21 remotely exploitable without authentication, two critical).
In its customer relationship management (CRM) platforms, there are 15 patches for Oracle PeopleSoft (12 remotely exploitable without authentication, two critical); and five patches for Oracle Siebel CRM (all remotely exploitable without authentication, two critical).
On the vertical-specific software front, Oracle patched 12 bugs in Oracle Construction and Engineering (eight remotely exploitable without authentication, two critical); 24 flaws for Oracle Financial Services Applications (six remotely exploitable without authentication); one bug for Oracle Food and Beverage Applications; three for Oracle Health Sciences Applications (all are remotely exploitable without authentication, three critical; five patches for Oracle Hospitality Applications (two remotely exploitable without authentication); one patch for Oracle iLearning; nine patches for Oracle JD Edwards (all remotely exploitable without authentication, four critical); four patches for Oracle Utilities Applications (all of these vulnerabilities remotely exploitable without authentication, one is critical); and 22 patches for Oracle Retail Applications (14 remotely exploitable without authentication, eight critical).
January’s massive CPU also features 17 patches for Oracle Systems (eight are remotely exploitable without authentication, three critical); two patches for Oracle Hyperion (one is remotely exploitable without authentication, and is critical); eight patches for Oracle Supply Chain (all are remotely exploitable without authentication, one is critical); Oracle GraalVM (five patches, three remotely exploitable without authentication, one critical); and 22 patches for Oracle Virtualization (three of are remotely exploitable without authentication).
And finally, the vendor issued 12 security patches for Oracle Java SE. All of the vulnerabilities are remotely exploitable without authentication, and are considered severe only when a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows).
“Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases,” according to Oracle.
“There’s so much to go through with 300+ patches,” said Dustin Childs, manager at Trend Micro’s Zero-Day Initiative, in an email to Threatpost. “If you’re an Oracle sysadmin, I’d recommend focusing first on the patches that can be exploited with no user interaction and do not require authentication. Specifically, bugs like CVE-2020-11058 and CVE-2019-2904 should make Oracle database admins nervous. There are also multiple patches to address bugs from 2016, 2017 and 2018, which shows how bad the patch can be for complex systems.”
Other researchers also noted the other flaws that the update addresses.
“Organizations should not overlook the recent critical security patches released by Oracle today,” Chris Hass, director of information security and research at Automox, told Threatpost. “CVE-2019-10072 [in Oracle Database Server], for example, has been around for some time now, is easily exploitable, and allows an unauthenticated attacker with network access via HTTP to compromise Workload Manager (Apache Tomcat).”
He added, “What is concerning now is that some vulnerability has been public for over two years, but it’s just now being addressed. Based off my experience, I would recommend any organization that using this product to do a full security audit of their infrastructure to ensure that this vulnerability has not already used to compromise their environment. The fundamentals of cyber-hygiene is not just a weight that users have to bear but one that must rest on the manufacturers as well. If any manufacturers are not providing the proper and timely security updates and patches for the programs and infrastructure they are selling, they are leaving their users at risk.”
Also adding to Tuesday’s patch bonanza was Adobe’s security updates for Illustrator CC for Windows and Experience Manager; while Microsoft took the wraps off of January 2020 Patch Tuesday, tackling 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches. These included a major crypto-spoofing bug (CVE-2020-0601) impacting Windows 10 users that was found by the NSA. Also, Intel issued an update including a high-severity privilege-escalation flaw.
“[Oracle’s CVE-2019-10072] also received a similar CVSS score (8.1) as CVE-2020-0601,” noted Hass.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.
