Business software giant Oracle is urging customers to update their systems in the October release of its quarterly Critical Patch Update (CPU), which fixes 402 vulnerabilities across various product families.
Well over half (272) of these vulnerabilities open products up to remote exploitation without authentication. That means that the flaw may be exploited over a network without requiring user credentials.
The majority of the flaws are in Oracle Financial Services Applications (53), Oracle MySQL (53), Oracle Communications (52), Oracle Fusion Middleware (46), Oracle Retail Applications (28) and Oracle E-Business Suite (27). But overall, 27 Oracle product families are affected by the flaws. Users can find a patch availability document for each product, available here.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” according to the company’s release on Tuesday. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”
While details of the flaws themselves are scant, two of the critical vulnerabilities disclosed by Oracle rank the highest severity score – 10 out of 10 – on the CVSS scale.
These include a flaw in the self-service analytics component of Oracle Healthcare Foundation, which is a unified healthcare-analytics platform that is part of the Oracle Health Science Applications suite. The flaw (CVE-2020-1953), which can be remotely exploited without requiring any user credentials, requires no user interaction and is easy to exploit, according to Oracle. Affected supported versions include 7.1.1, 7.2.0, 7.2.1 and 7.3.0.
The second severe flaw (CVE-2020-14871) exists in the pluggable authentication module of Oracle Solaris, its enterprise operating system for Oracle Database and Java applications (part of the Oracle Systems risk matrix). The flaw is also remotely exploitable without user credentials, requires no user interaction and is a “low-complexity” attack. Versions 10 and 11 are affected.
Sixty-five of the vulnerabilities also had a CVSS base score of 9.8 (and six had a score of 9.4) out of 10, making them critical in severity.
Oracle did offer some workarounds, advising that for attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Users can also reduce the risk of successful attack by blocking network protocols required by an attack.
However, both these approaches may break application functionality, and Oracle does not recommend that either approach be considered a long-term solution as neither corrects the underlying problem.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” according to the company.
Oracle releases its CPUs on the Tuesday closest to the 17th day of January, April, July and October.
Previous quarterly updates have stomped out hundreds of bugs across the company’s product lines, including one in April that patched 405. There are also out-of-band updates; in June for instance, Oracle warned of a critical remote code-execution flaw in its WebLogic Server being actively exploited in the wild.