oracle-october-security-updates

Oracle has released 402 new security patches as a part of the quarterly update cycle. 270 vulnerabilities are remotely exploitable without user credentials.

Oracle MySQL received 53 security patches. 4 of these vulnerabilities allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2020-8174 is considered to be the most critical of them all. This CVE affects the ‘Node.js‘ component of MySQL Cluster. Successful exploitation of it can lead to a takeover of MySQL Cluster.

Oracle Java SE received 8 security patches. All these vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack ComplexityCVE-2020-14803 has been rated highest in the list. Successful exploitation of it gives an unauthorized attacker complete access to critical Java SE and Java SE Embedded accessible data.

Oracle VM VirtualBox received 7 security patches. None of the vulnerabilities can be exploited remotely without authentication. CVE-2020-14872  has been rated high and affects the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation can lead to a takeover of Oracle VM VirtualBox.

Oracle Critical Patch Update October 2020 Summary

Oracle MySQL

Products: MySQL Cluster, MySQL Server, MySQL Workbench, MySQL Enterprise Monitor

Affected Components : Server: PS, Server: Optimizer, Server: Security: Privileges, MySQL Workbench (libssh), Server: Security: Encryption, Server: Locking, Cluster: JS module (Node.js), Server: Security: LDAP Auth, Server: DDL, Server: Security: Roles, Cluster: NDBCluster Plugin, Server: Charsets, Server: FTS, InnoDB, Server: Stored Procedure, Server: DML, Server: Logging, Monitoring: General (Apache Tomcat), Server: X Plugin, Workbench: Security: Encryption (OpenSSL)
CVEs : CVE-2020-8174, CVE-2020-14878, CVE-2020-13935, CVE-2020-1967, CVE-2020-14828, CVE-2020-14775, CVE-2020-14765, CVE-2020-14769, CVE-2020-14830, CVE-2020-14836, CVE-2020-14846, CVE-2020-14800, CVE-2020-14827, CVE-2020-14760, CVE-2020-1730, CVE-2020-14776, CVE-2020-14821, CVE-2020-14829, CVE-2020-14848, CVE-2020-14852, CVE-2020-14814, CVE-2020-14789, CVE-2020-14804, CVE-2020-14812, CVE-2020-14773, CVE-2020-14777, CVE-2020-14785, CVE-2020-14793, CVE-2020-14794, CVE-2020-14809, CVE-2020-14837, CVE-2020-14839, CVE-2020-14845, CVE-2020-14861, CVE-2020-14866, CVE-2020-14868, CVE-2020-14888, CVE-2020-14891, CVE-2020-14893, CVE-2020-14786, CVE-2020-14790, CVE-2020-14844, CVE-2020-14799, CVE-2020-14869, CVE-2020-14672, CVE-2020-14870, CVE-2020-14853, CVE-2020-14867, CVE-2020-14873, CVE-2020-14838, CVE-2020-14860, CVE-2020-14791, CVE-2020-14771


Oracle Java SE

Products: Java SE, Java SE Embedded, Java SE

Affected Components: Libraries, JNDI, Hotspot, Serialization
CVEs : CVE-2020-14803, CVE-2020-14792, CVE-2020-14781, CVE-2020-14782, CVE-2020-14797, CVE-2020-14779, CVE-2020-14796, CVE-2020-14798


Oracle Virtualization

Products: Oracle VM VirtualBox

Affected Components: Core
CVEs : CVE-2020-14872, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886, CVE-2020-14889, CVE-2020-14892, CVE-2020-14872, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886, CVE-2020-14889, CVE-2020-14892


Oracle Database Server

Products: Oracle Application Express Group Calendar, Oracle Application Express, Database Filesystem, ORDS (jQuery), Oracle Application Express Data Reporter, Oracle Application Express (jQuery), Workload Manager (Apache Tomcat), Core RDBMS, Java VM, Oracle Text, Oracle Application Express Quick Poll, Scheduler, Oracle Application Express Packaged Apps, Core RDBMS (bzip2), RDBMS Security, SQL Developer Install, Database Vault

Affected Components: SQL Workshop, Client Computer User Account, Valid User Account, Resource, Create Table, Create View, Create Procedure, Dbfs_role, Create Public Synonym, Local Logon, Analyze Any, DBA Level Account, Create Procedure, SYSDBA level account
CVEs : CVE-2019-12900, CVE-2020-14735, CVE-2020-14734, CVE-2020-13935, CVE-2020-11023, CVE-2020-11023, CVE-2020-14762, CVE-2020-9281, CVE-2020-14899, CVE-2020-14900, CVE-2020-14898, CVE-2020-14763, CVE-2020-14741, CVE-2020-14901, CVE-2020-14736, CVE-2020-14743, CVE-2020-14740, CVE-2020-14742


Oracle Construction and Engineering

Products: Primavera Unifier, Primavera Gateway, Instantis EnterpriseTrack

Affected Components: Platform (Apache Derby), Platform (Apache Solr), Admin (Swagger UI), Platform (iText), Core (Apache Kafka), Core (Apache HTTP Server), Core (Apache Log4j), Core (Apache Tomcat), Platform (Apache Tika)
CVEs : CVE-2020-11984, CVE-2019-17495, CVE-2015-1832, CVE-2017-9096, CVE-2020-13935, CVE-2019-17558, CVE-2018-17196, CVE-2020-9489, CVE-2020-9488


Oracle E-Business Suite

Products: Oracle CRM Technical Foundation, Oracle Trade Management, Oracle Applications Framework, Oracle Marketing, Oracle Applications Manager, Oracle Universal Work Queue, Oracle One-to-One Fulfillment, Oracle E-Business Suite Secure Enterprise Search, Oracle Installed Base, Oracle Application Object Library

Affected Components: Internal Operations, Search Integration Engine, AMP EBS Integration, SQL Extensions, Preferences, Flex Fields, Work Provider Administration, Diagnostics, APIs, User Interface, Popup windows, Oracle Diagnostics Interfaces, Marketing Administration, Print Server
CVEs : CVE-2020-14855, CVE-2020-14805, CVE-2020-14875, CVE-2020-14876, CVE-2020-14862, CVE-2020-14850, CVE-2020-14816, CVE-2020-14817, CVE-2020-14831, CVE-2020-14835, CVE-2020-14849, CVE-2020-14819, CVE-2020-14863, CVE-2020-14808, CVE-2020-14833, CVE-2020-14834, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857, CVE-2020-14774, CVE-2020-14761, CVE-2020-14823, CVE-2020-14811, CVE-2020-14826, CVE-2020-14840, CVE-2020-14746, CVE-2020-14822


Oracle Enterprise Manager

Products: Oracle Application Testing Suite, Enterprise Manager Ops Center, Enterprise Manager Base Platform, Application Performance Management (APM), Enterprise Manager for Peoplesoft, Enterprise Manager for Storage Management

Affected Components: Event Management, Connector Framework (Apache CXF), PSEM Plugin (Apache Log4j), Reports in Ops Center (jQuery), Load Testing for Web Apps (Spring Framework), Load Testing for Web Apps (Eclipse Jetty), Agent Provisioning (Quartz Scheduler), Connector Framework (Spring Framework), Load Testing for Web Apps (RSA BSAFE Crypto-C), Privilege Management (OpenSSL), Comp Management and Life Cycle Management (RSA BSAFE Crypto-J)
CVEs : CVE-2019-13990, CVE-2018-11058, CVE-2019-17638, CVE-2020-5398, CVE-2020-1967, CVE-2020-5398, CVE-2019-3740, CVE-2019-2897, CVE-2020-11022, CVE-2020-1954, CVE-2020-9488


Oracle Financial Services Applications

Products: Oracle Financial Services Institutional Performance Analytics, Oracle Banking Digital Experience, Oracle Financial Services Market Risk Measurement and Management, Oracle Financial Services Analytical Applications Reconciliation Framework, Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, Oracle Insurance Data Foundation, Oracle FLEXCUBE Core Banking, Oracle Banking Payments, Oracle Financial Services Asset Liability Management, Oracle Financial Services Price Creation and Discovery, Oracle Financial Services Balance Sheet Planning, Oracle Financial Services Liquidity Risk Measurement and Management, Oracle Financial Services Analytical Applications Infrastructure, Oracle Insurance Allocation Manager for Enterprise Profitability, Oracle Financial Services Loan Loss Forecasting and Provisioning, Oracle Financial Services Data Foundation, Oracle Financial Services Regulatory Reporting for US Federal Reserve, Oracle FLEXCUBE Direct Banking, Oracle Financial Services Data Governance for US Regulatory Reporting, Oracle FLEXCUBE Private Banking, Oracle Financial Services Hedge Management and IFRS Valuations, Oracle Financial Services Basel Regulatory Capital Basic, Oracle Financial Services Data Integration Hub, Oracle Banking Corporate Lending, Oracle Financial Services Funds Transfer Pricing, Oracle Insurance Accounting Analyzer, Oracle FLEXCUBE Universal Banking, Oracle Financial Services Regulatory Reporting for European Banking Authority, Oracle Financial Services Retail Customer Analytics, Oracle Financial Services Regulatory Reporting with AgileREPORTER, Oracle Financial Services Liquidity Risk Management, Oracle Financial Services Profitability Management, Oracle Banking Platform

Affected Components: User Interface (jQuery), Core (Apache ActiveMQ), User Interface (Apache Log4j), User Interface (jackson-databind), Core (Apache Camel), Collections (xstream), Infrastructure (Apache log4j), Core (Spring Framework), Core, Infrastructure, IFRS17 (jQuery), Pre Login, Core (Eclipse Jetty), Collections (Swagger UI), Framework (jQuery), Infrastructure (dom4j), Framework (jackson-databind), Core (Apache Log4j), Infrastructure (jQuery), Core (Apache Ant), Core (Apache Tika), Infrastructure (jackson-databind), Collections (dom4j), Infrastructure (Apache Log4j)
CVEs : CVE-2019-17495, CVE-2020-10683, CVE-2019-10173, CVE-2020-10683, CVE-2020-9546, CVE-2020-9546, CVE-2020-9546, CVE-2017-5645, CVE-2020-9546, CVE-2020-11973, CVE-2020-14824, CVE-2020-14195, CVE-2020-5398, CVE-2020-5398, CVE-2020-14894, CVE-2020-14896, CVE-2020-14890, CVE-2020-14897, CVE-2020-14887, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-1941, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-1951, CVE-2019-10247, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488


Oracle Food and Beverage Applications

Products: Oracle Hospitality Simphony, Oracle Hospitality Materials Control, Oracle Hospitality RES 3700, Oracle Hospitality Reporting and Analytics

Affected Components: Mobile Authorization (jQuery), Simphony Apps (jQuery), Installation, CAL
CVEs : CVE-2020-11022, CVE-2020-11022, CVE-2020-14753, CVE-2020-14783


Oracle Fusion Middleware

Products: Oracle GoldenGate Application Adapters, Oracle Access Manager, Oracle WebCenter Portal, Oracle Outside In Technology, Oracle Endeca Information Discovery Integrator, Identity Manager Connector, Oracle Business Process Management Suite, Oracle Business Intelligence Enterprise Edition, Oracle Endeca Information Discovery Studio, Oracle Data Integrator, Oracle HTTP Server, Oracle BI Publisher, Management Pack for Oracle GoldenGate, Oracle WebLogic Server, Oracle JDeveloper, Oracle Enterprise Repository, Oracle Managed File Transfer, BI Publisher

Affected Components: Analytics Actions, Analytics Web Administration, General and Misc (Apache Log4j), Console, Core (Apache HTTP Server), Build Request (jackson-databind), Installation (SQLite), MFT Runtime Server (Apache Tomcat), Centralized Thirdparty Jars (jackson-databind), Security Framework (Oracle Coherence), BI Publisher Security (jQuery), Security Subsystem – 12c (Application Development Framework), Core, SSL Module (OpenSSL), Install, config, upgrade (Apache HTTP Server), Endeca Server (xstream), Monitor (SNMP), Application Adapters (SLF4J), Security Framework (xstream), ADF Faces (jQuery), Installation, Web Services, Security Service (RSA BSAFE), Jave APIs (BeanShell), Web Listener (cURL), Runtime Engine (jQuery), Mobile Service, Console (jQuery), Runtime Engine (Application Development Framework), Core (Apache Log4j), E-Business Suite – XDO, Web Server Plugin (RSA BSafe), Portlet Services (dom4j), Runtime Engine (Apache Ant), Installation (OpenJPEG), Document Service (Apache Tika), Blogs and Wikis (CKEditor), BI Publisher Security, Integrator ETL (dom4j)
CVEs : CVE-2017-5645, CVE-2018-11058, CVE-2017-9800, CVE-2020-10683, CVE-2019-10173, CVE-2019-2904, CVE-2018-8088, CVE-2019-17531, CVE-2018-11058, CVE-2019-5482, CVE-2020-10683, CVE-2020-2555, CVE-2019-10173, CVE-2019-17267, CVE-2020-14882, CVE-2020-14841, CVE-2020-14825, CVE-2020-14859, CVE-2020-14879, CVE-2020-14880, CVE-2020-14842, CVE-2020-14784, CVE-2020-14815, CVE-2016-2510, CVE-2020-3235, CVE-2020-14864, CVE-2020-1967, CVE-2020-14820, CVE-2019-10097, CVE-2020-14883, CVE-2020-14780, CVE-2020-14843, CVE-2020-14766, CVE-2020-9484, CVE-2020-14757, CVE-2020-15389, CVE-2020-1945, CVE-2019-11358, CVE-2019-11358, CVE-2019-2904, CVE-2020-11022, CVE-2020-9281, CVE-2020-11022, CVE-2020-1951, CVE-2020-13631, CVE-2020-9488


Oracle GraalVM

Products: Oracle GraalVM Enterprise Edition

Affected Components: Java
CVEs : CVE-2020-14803


Oracle Health Sciences Applications

Products: Oracle Healthcare Foundation, Oracle Health Sciences Empirica Signal, Oracle Healthcare Data Repository

Affected Components: Database Module (Oracle Coherence), Admin Console (jQuery), User Interface (dom4j), Self Service Analytics (Apache Commons Configuration)
CVEs : CVE-2020-1953, CVE-2020-10683, CVE-2020-2555, CVE-2020-11022


Oracle Hospitality Applications

Products: Oracle Hospitality Guest Access, Oracle Hospitality Suite8, Oracle Hospitality OPERA 5 Property Services

Affected Components: Logging, Base (Apache Tomcat), WebConnect, Base (Eclipse Jetty)
CVEs : CVE-2019-17638, CVE-2020-14807, CVE-2020-9484, CVE-2020-14858, CVE-2020-14877, CVE-2020-14810


Oracle Hyperion

Products: Hyperion BI+, Hyperion Lifecycle Management, Hyperion Analytic Provider Services, Hyperion Infrastructure Technology, Hyperion Essbase, Hyperion Planning

Affected Components: Security and Provisioning (OpenSSL), Smart View Provider, Shared Services, Security and Provisioning (cURL), IQR-Foundation service, UI and Visualization, Application Development Framework
CVEs : CVE-2019-5482, CVE-2020-14854, CVE-2019-1547, CVE-2020-14768, CVE-2020-14767, CVE-2020-14752, CVE-2020-14772, CVE-2020-14764, CVE-2020-14770


Oracle PeopleSoft

Products: PeopleSoft Enterprise SCM eSupplier Connection, PeopleSoft Enterprise HCM Global Payroll Core, PeopleSoft Enterprise PeopleTools

Affected Components: Tools Admin API (Apache Log4j), eSupplier Connection, Portal, Charting (jQuery), Weblogic (RSA BSafe), Updates Environment Mgmt (Apache Log4j), Elastic Search (Apache CXF), PIA Core Technology, PIA Grids, Query, Security, Integration Broker, PIA Core Technology (jQuery)
CVEs : CVE-2018-11058, CVE-2020-14865, CVE-2020-14795, CVE-2020-14778, CVE-2020-14832, CVE-2020-14801, CVE-2020-14802, CVE-2020-11022, CVE-2020-14813, CVE-2020-11022, CVE-2020-1954, CVE-2020-14806, CVE-2020-9488, CVE-2020-9488, CVE-2020-14847


Oracle Policy Automation

Products: Oracle Policy Automation for Mobile Devices, Oracle Policy Automation Connector for Siebel, Oracle Policy Automation

Affected Components: Core (jQuery), Core (Apache Log4j)
CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488


Oracle Retail Applications

Products: Oracle Retail Price Management, Oracle Retail Central Office, Oracle Retail Service Backbone, Oracle Retail Advanced Inventory Planning, Oracle Retail Order Broker, Oracle Retail Back Office, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Assortment Planning, Oracle Retail Bulk Data Integration, Oracle Retail Predictive Application Server, Oracle Retail Integration Bus, Oracle Retail Returns Management, Oracle Retail Point-of-Service, Oracle Retail Xstore Point of Service

Affected Components: Promotions, Application Core (Apache Log4j), AIP Dashboard (Apache Log4j), RIB Kernal (RSA BSAFE Crypto-J), Security (jQuery), RSB kernel (RSA BSAFE Crypto-J), BDI Job Scheduler (Apache Log4j), Store Connect (Apache POI), Xenvironment (RSA BSAFE Crypto-J), Security (Apache Ant), Segment, RIB Kernal (Apache Ant), Segments (jQuery), Order Broker Foundation (jasperreports_server), Mobile POS (jQuery), RPAS Server (RSA BSAFE Crypto-J), RPAS Fusion Client (Apache Log4j), RSB kernel (jackson-databind), RIB Kernal (Apache Log4j), Application Core (RSA BSAFE Crypto-J), System Administration (dom4j), Store Connect (Apache Log4j), Security (dom4j)
CVE-2020-10683, CVE-2020-10683, CVE-2020-9546, CVE-2020-1945, CVE-2020-1945, CVE-2020-1945, CVE-2020-1945, CVE-2020-1945, CVE-2020-9410, CVE-2019-3740, CVE-2019-3740, CVE-2019-3740, CVE-2019-3740, CVE-2019-3740, CVE-2020-11022, CVE-2020-11022, CVE-2020-11022, CVE-2019-11358, CVE-2020-11022, CVE-2019-12415, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-9488, CVE-2020-14732, CVE-2020-14731


Oracle Siebel CRM

Products: Siebel Apps – Marketing, Siebel UI Framework

Affected Components: Mktg/Campaign Mgmt (Apache Tomcat), UIF Open UI (jQuery)
CVE-2019-10072, CVE-2020-11022


Oracle Systems

Products: Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle ZFS Storage Appliance Kit, Fujitsu M12-1, M12-2, M12-2S Servers, Oracle Solaris

Affected Components: Pluggable authentication module, Kernel, XCP Firmware (Kernel), Operating System Image, XCP Firmware (Linux Kernel), Filesystem, Utility
CVE-2020-14871, CVE-2020-3909, CVE-2019-11477, CVE-2018-3693, CVE-2020-14758, CVE-2020-14754, CVE-2020-14818, CVE-2020-14759


Oracle Supply Chain

Products: Oracle Transportation Management, Oracle Agile Product Lifecycle Management for Process, Oracle Agile PLM

Affected Components: Security (dom4j), Folders, Files & Attachments (Apache Tomcat), Supplier Portal (jQuery), Install (Apache Tomcat)
CVE-2020-1938, CVE-2020-10683, CVE-2020-9484, CVE-2020-11022


Summary
Article Name
Oracle Critical Updates October 2020
Author
Publisher Name
SecPod Technologies
Publisher Logo

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *