SecPod Labs - Oracle Critical Patch Updates April 2020

Oracle has released 397 new security patches as a part of their quarterly update cycle, out of which 262 vulnerabilities are remotely exploitable without user authentication.

Oracle MySQL received 45 security patches of which 9 of the vulnerabilities allow an attacker to remotely exploit machines without the need for user authentication. A few CVE’s if successfully exploited can result in unauthorized access to MySQL workbench data. CVE-2019-15601, CVE-2019-1547 affects ‘OpenSSL‘ and ‘Compiling‘ component of MySQL Workbench.

Oracle Java SE received 15 security patches. All the 15 vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack Complexity. Many CVEs have been rated highest in the list.

Oracle VM VirtualBox received 11 security patches. only 1 of the vulnerabilities can be exploited remotely without authentication. Most of the CVEs are rated high and affect the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation can lead to a takeover of Oracle VM VirtualBox.

 


Oracle Critical Patch Update April 2020 Summary

Oracle Database Server

Affected Components: Java VM, Oracle Multimedia, WLM (Apache Tomcat), Core RDBMS, Oracle Text, Oracle Application Express, RDBMS/Optimizer
CVEs : CVE-2016-10251, CVE-2019-17563, CVE-2020-2737, CVE-2019-2853, CVE-2016-7103, CVE-2020-2514, CVE-2020-2734, CVE-2020-2735


Oracle Global Lifecycle Management 

Products: Oracle Global Lifecycle Management OPatch
Affected Components: Patch Installer
CVEs: CVE-2019-20330


Oracle Secure Backup

Products: Oracle Secure Backup
Affected Components: PHP
CVEs: CVE-2018-5712


Oracle Communications Applications

Products: Oracle Communications ASAP Cartridges, Oracle Communications Calendar Server, Oracle Communications Converged Application Server – Service Controller, Oracle Communications Diameter Signaling Router (DSR), Oracle Communications Element Manager, Oracle Communications Evolved Communications Application Server, Oracle Communications Messaging Server, Oracle Communications Operations Monitor, Oracle Communications Service Broker, Oracle Communications Services Gatekeeper, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Oracle Communications Unified Inventory Management, Oracle Communications WebRTC Session Controller, Oracle SD-WAN Edge
CVEs : CVE-2015-3253, CVE-2016-4000, CVE-2017-12626, CVE-2018-1000180, CVE-2018-15756, CVE-2018-20852, CVE-2018-8039, CVE-2019-0211, CVE-2019-0222, CVE-2019-0227, CVE-2019-10072, CVE-2019-10082, CVE-2019-10088, CVE-2019-1010238, CVE-2019-10247, CVE-2019-11358, CVE-2019-14379, CVE-2019-14821, CVE-2019-15163, CVE-2019-16943, CVE-2019-2729, CVE-2019-2904, CVE-2019-5482


Oracle Construction and Engineering

Products: Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components: Admin (Apache Commons Beanutils), Admin (Apache Commons Compress), Admin (Connect2id Nimbus JOSE+JWT), Admin (jackson-databind), Generic (Apache HTTP Server), Generic (Apache Tomcat), Infrastructure (Quartz), Infrastructure (jackson-databind), Logging (Log4j), Office Open document processor (Apache POI), Project Manager
CVEs : CVE-2017-5645, CVE-2019-10082, CVE-2019-10086, CVE-2019-12402, CVE-2019-12415, CVE-2019-13990, CVE-2019-16943, CVE-2019-17195, CVE-2019-17563, CVE-2020-2594, CVE-2020-2706


Oracle E-Business Suite

Products: Oracle Advanced Outbound Telephony, Oracle Applications Framework, Oracle CRM Gateway for Mobile Devices, Oracle CRM Technical Foundation, Oracle Common Applications Calendar, Oracle Customer Interaction History, Oracle Depot Repair, Oracle Document Management and Collaboration, Oracle E-Business Intelligence, Oracle Email Center, Oracle General Ledger, Oracle Human Resources, Oracle Knowledge Management, Oracle Learning Management, Oracle Marketing, Oracle Marketing Encyclopedia System, Oracle One-to-One Fulfillment, Oracle Partner Management, Oracle Quoting, Oracle Scripting, Oracle Service Intelligence, Oracle Trade Management, Oracle Universal Work Queue, Oracle Workflow, Oracle iStore, Oracle iSupplier Portal, Oracle iSupport
CVEs : CVE-2020-2750, CVE-2020-2753, CVE-2020-2772, CVE-2020-2789, CVE-2020-2794, CVE-2020-2796, CVE-2020-2807 to CVE-2020-2810, CVE-2020-2813, CVE-2020-2815, CVE-2020-2817 to CVE-2020-2827, CVE-2020-2831 to CVE-2020-2850, CVE-2020-2852, CVE-2020-2854 to CVE-2020-2858, CVE-2020-2860 to CVE-2020-2864, CVE-2020-2866, CVE-2020-2870 to CVE-2020-2874, CVE-2020-2876 to CVE-2020-2882, CVE-2020-2885 to CVE-2020-2890, CVE-2020-2956


Oracle Enterprise Manager

Products: Enterprise Manager Base Platform, Oracle Real User Experience Insight, Oracle Application Testing Suite, Application Service Level Management
Affected Components: Discovery Framework (OpenSSL), Discovery Framework (Oracle OHS), EM Request Monitoring, Install (Perl), Oracle Flow Builder (Apache Axis), Processing (Oracle Instant Client), Service Level Agreements (jQuery)
CVEs : CVE-2018-11058, CVE-2018-18311, CVE-2019-0227, CVE-2019-11358, CVE-2019-1543, CVE-2020-2946, CVE-2020-2961


Oracle Financial Services Applications

Products : Oracle Banking Enterprise Collections, Oracle Banking Enterprise Originations, Oracle Banking Enterprise Product Manufacturing, Oracle Banking Platform, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Asset Liability Management, Oracle Financial Services Balance Sheet Planning, Oracle Financial Services Data Foundation, Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, Oracle Financial Services Funds Transfer Pricing, Oracle Financial Services Hedge Management and IFRS Valuations, Oracle Financial Services Liquidity Risk Management, Oracle Financial Services Liquidity Risk Measurement and Management, Oracle Financial Services Loan Loss Forecasting and Provisioning, Oracle Financial Services Market Risk Measurement and Management, Oracle Financial Services Price Creation and Discovery, Oracle Financial Services Profitability Management, Oracle Financial Services Revenue Management and Billing Analytics, Oracle FLEXCUBE Core Banking, Oracle FLEXCUBE Private Banking, Oracle Insurance Accounting Analyzer
CVEs : CVE-2017-12626, CVE-2019-0227, CVE-2019-10088, CVE-2019-10247, CVE-2019-12415, CVE-2019-12419, CVE-2019-13990, CVE-2019-16943, CVE-2019-17091, CVE-2019-17359, CVE-2019-2904, CVE-2020-2793, CVE-2020-2891, CVE-2020-2935 to CVE-2020-2943, CVE-2020-2945, CVE-2020-2955, CVE-2020-2964


Oracle Food and Beverage Applications

Affected Components: Oracle Hospitality Reporting and Analytics
CVEs: CVE-2020-2746


Oracle Fusion Middleware

Products: Identity Manager Connector, Oracle Access Manager, Oracle API Gateway, Oracle Big Data Discovery, Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle Endeca Information Discovery Integrator, Oracle Endeca Server, Oracle Fusion Middleware MapViewer, Oracle Global Lifecycle Management NextGen OUI Framework, Oracle HTTP Server, Oracle Managed File Transfer, Oracle Outside In Technology, Oracle SOA Suite, Oracle Unified Directory, Oracle WebCenter Portal, Oracle WebCenter Sites, Oracle WebLogic Server
CVEs : CVE-2015-7940, CVE-2016-1000031, CVE-2016-10328, CVE-2017-12626, CVE-2017-5130, CVE-2018-15756, CVE-2018-20622, CVE-2018-20843, CVE-2019-0222, CVE-2019-10088, CVE-2019-10247, CVE-2019-11358, CVE-2019-12415, CVE-2019-13990, CVE-2019-1547, CVE-2019-15903, CVE-2019-16168, CVE-2019-16943, CVE-2019-17359, CVE-2019-17571, CVE-2020-2739, CVE-2020-2740, CVE-2020-2745, CVE-2020-2747, CVE-2020-2766, CVE-2020-2783, CVE-2020-2784, CVE-2020-2785, CVE-2020-2786, CVE-2020-2787, CVE-2020-2798, CVE-2020-2801, CVE-2020-2811, CVE-2020-2828, CVE-2020-2829, CVE-2020-2867, CVE-2020-2869, CVE-2020-2883, CVE-2020-2884, CVE-2020-2915, CVE-2020-2949, CVE-2020-2950, CVE-2020-2952


Oracle GraalVM

Products: Oracle GraalVM Enterprise Edition
Affected Components: Java, GraalVM Compiler, Tools, JavaScript (Node.js)
CVEs : CVE-2019-15606, CVE-2020-2799, CVE-2020-2802, CVE-2020-2803, CVE-2020-2900


Oracle Health Sciences Applications

Products: Oracle GraalVM Enterprise Edition
Affected Components: Installation (Eclipse Mojarra), Policy Engine (Eclipse Mojarra)
CVEs: CVE-2019-170910


Oracle Hyperion Risk

Products: Hyperion Financial Management, Hyperion Financial Reporting
Affected Components: Security, Security (Application Development Framework), Web Based Report Designer
CVEs : CVE-2020-2769, CVE-2020-2770, CVE-2020-2899


Oracle Java SE

Products: Java SE, Java SE, Java SE Embedded
Affected Components : Advanced Management Console, Concurrency, JavaFX (libxslt), JSSE, Libraries, Lightweight HTTP Server, Scripting, Security, Serialization
CVEs : CVE-2019-18197, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2764, CVE-2020-2767, CVE-2020-2773, CVE-2020-2778, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805, CVE-2020-2816, CVE-2020-2830


Oracle JD Edwards

Products: JD Edwards EnterpriseOne Tools, JD Edwards World Security
Affected Components: Monitoring and Diagnostics, Enterprise Infrastructure Security (Oracle Security Service), Enterprise Infrastructure Security (OpenSSL), World Software Security (OpenSSL)
CVEs : CVE-2019-1547, CVE-2020-2733, CVE-2018-11058


Oracle Knowledge

Products: Oracle Knowledge
Affected Components: Answer Flow (jQuery), Information Manager Console, Information Manager Console (Apache Axis), Information Manager Console (Apache Standard Taglibs), Information Manager Console (Apache Tika), Information Manager Console, Web Applications – InfoCenter (Apache Commons FileUpload), Information Manager Console, Web Applications – InfoCenter (jQuery), InQuira Search, Web Applications – InfoCenter, Web Applications – InfoCenter (AntiSamy), Web Applications – InfoCenter (Apache Commons Fileupload), Web Applications – InfoCenter (Apache Derby)
CVEs : CVE-2015-0254, CVE-2015-1832, CVE-2015-9251, CVE-2016-1000031, CVE-2016-3092, CVE-2017-14735, CVE-2018-17197, CVE-2019-0227, CVE-2019-11358, CVE-2020-2522, CVE-2020-2524, CVE-2020-2553, CVE-2020-2791, CVE-2020-2795, CVE-2020-2931, CVE-2020-2932


Oracle MySQL

Products: MySQL Client, MySQL Cluster, MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench
CVEs : CVE-2019-14889, CVE-2019-1547, CVE-2019-15601, CVE-2019-17563, CVE-2019-19646, CVE-2019-5482, CVE-2020-2752, CVE-2020-2759 to CVE-2020-2763, CVE-2020-2765, CVE-2020-2768, CVE-2020-2770, CVE-2020-2774, CVE-2020-2779, CVE-2020-2780, CVE-2020-2790, CVE-2020-2804, CVE-2020-2806, CVE-2020-2812, CVE-2020-2814, CVE-2020-2853, CVE-2020-2875, CVE-2020-2892, CVE-2020-2893, CVE-2020-2895, CVE-2020-2896, CVE-2020-2897, CVE-2020-2898, CVE-2020-2901, CVE-2020-2903, CVE-2020-2904, CVE-2020-2921 to CVE-2020-2926, CVE-2020-2928, CVE-2020-2930, CVE-2020-2933, CVE-2020-2934


Oracle PeopleSoft

Products: PeopleSoft Enterprise CS Campus Community, PeopleSoft Enterprise HCM Absence Management, PeopleSoft Enterprise HRMS, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise SCM Purchasing
Affected Components: Absence Management, Candidate Gateway, Diagnostic Framework, nVision, Portal, Process Scheduler, Purchasing, Query, Security, Security (Bouncy Castle Java Library), Self-Service, Supplier Change, Tools Admin API (Apache Axis)
CVEs : CVE-2019-0227, CVE-2019-17359, CVE-2020-2751, CVE-2020-2775, CVE-2020-2776, CVE-2020-2782, CVE-2020-2797, CVE-2020-2859, CVE-2020-2868, CVE-2020-2899, CVE-2020-2906, CVE-2020-2912, CVE-2020-2947, CVE-2020-2954


Oracle Retail Applications

Products: MICROS Relate CRM Software, Oracle Retail Advanced Inventory Planning, Oracle Retail Back Office, Oracle Retail Central Office, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Merchandising System, Oracle Retail Order Broker, Oracle Retail Point-of-Service, Oracle Retail Predictive Application Server, Oracle Retail Returns Management, Oracle Retail Store Inventory Management, Oracle Retail Xstore Point of Service
CVEs : CVE-2017-12626, CVE-2017-3160, CVE-2017-5533, CVE-2017-5645, CVE-2018-10237, CVE-2018-11058, CVE-2018-11797, CVE-2018-1258, CVE-2019-0227, CVE-2019-10072, CVE-2019-10082, CVE-2019-10086, CVE-2019-10173, CVE-2019-13990, CVE-2019-17091, CVE-2019-17359, CVE-2019-17563, CVE-2019-2880, CVE-2020-2953, CVE-2020-5398


Oracle Siebel CRM

Products: Siebel UI Framework
Affected Components: EAI, SWSE
CVEs: CVE-2020-2738


Oracle Supply Chain

Products: Oracle Agile PLM, Oracle Configurator, Oracle In-Memory Performance-Driven Planning, Oracle Transportation Management
Affected Components: User Interface (Log4j), Security, Installation
CVEs : CVE-2017-5645, CVE-2020-2744, CVE-2020-2865, CVE-2020-2920


Oracle Systems

Products: Oracle Solaris, StorageTek Tape Analytics SW Tool, Sun ZFS Storage Appliance Kit
Affected Components: Application Server (Oracle WebLogic Server), Common Desktop Environment, Operating System Image, SMB Server Kernel Module, SMF command svcbundle, Software (jQuery), Whodo
CVEs : CVE-2018-1165, CVE-2019-11358, CVE-2019-2729, CVE-2020-2749, CVE-2020-2771, CVE-2020-2851, CVE-2020-2927, CVE-2020-2944


Oracle Support Tools

Products: OSS Support Tools
Affected Components: Services Tools Bundle (cURL)
CVEs : CVE-2019-5482, CVE-2019-15601


Oracle Utilities Applications

Products: Oracle Utilities Framework, Oracle Utilities Network Management System
Affected Components: Common (Dom4J), Upload (Apache POI)
CVEs : CVE-2018-1000632, CVE-2017-12626


Oracle Virtualization

Products: Oracle VM VirtualBox
Affected Components: Core
CVEs : CVE-2020-2741, CVE-2020-2742, CVE-2020-2743, CVE-2020-2748, CVE-2020-2758, CVE-2020-2894, CVE-2020-2902, CVE-2020-2905, CVE-2020-2907 to CVE-2020-2911, CVE-2020-2913, CVE-2020-2914, CVE-2020-2929, CVE-2020-2951, CVE-2020-2958, CVE-2020-2959


Summary
Oracle Critical Updates April 2020
Article Name
Oracle Critical Updates April 2020
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *