Oracle’s October 2020 CPU Contains 402 New Security Patches


Oracle on Tuesday launched its Essential Patch Replace (CPU) for October 2020, which incorporates 402 new safety patches launched throughout the corporate’s product portfolio.

The advisory for the newest CPU consists of data on the patches launched after the earlier CPU, however the patches are usually cumulative, Oracle notes. Thus, clients are suggested to evaluation data on beforehand launched patches, to make sure their techniques are protected.

This month, Oracle launched two variations of the advisory: a brand new one the place particulars on patches for safety flaws in third-party parts that aren’t exploitable as carried out in Oracle merchandise are listed beneath the product’s threat matrix, and the standard advisory (which mentions a complete of 421 patches).

Greater than half of the 402 new safety patches included on this month’s CPU might be exploited remotely with out authentication.

Greater than 80 of the patches deal with critical-severity bugs, most of them with CVSS scores of 9.8. Two of them, particularly CVE-2020-1953, impacting Healthcare Basis, and CVE-2020-14871, affecting Solaris, have CVSS scores of 10.

Oracle merchandise that noticed the very best variety of new safety patches are Monetary Providers Functions: 53 patches – 49 of the vulnerabilities might be exploited by distant, unauthenticated attackers; MySQL: 53 fixes – Four bugs remotely exploitable with out the necessity of credentials; Communications: 52 patches – 41 remotely exploitable flaws; and Fusion Middleware: 46 patches – 36 vulnerabilities exploitable remotely with out authentication.

Subsequent in line are Retail Functions (28 patches – 25 flaws exploitable remotely with out credentials), E-Enterprise Suite (27 fixes – 25 remotely exploitable bugs), database server (18 – 4), PeopleSoft (15 – 12), Enterprise Supervisor (11 – 10), Communications Functions (9 – 8), Building and Engineering (9 – 7), Hyperion (9 – 1), Java SE (8 – 8), Programs (8 – 3), Virtualization (7 – 0), Insurance coverage Functions (6 – 6), Coverage Automation (6 – 6), and Hospitality Functions (6 – 3).

Merchandise that noticed lower than 5 new patches this month embody Utilities Functions (5 – Three vulnerabilities exploitable by distant, unauthenticated attackers), REST Knowledge Providers (5 – 2), Well being Sciences Functions (4 – 4), TimesTen In-Reminiscence Database (4 – 4), Meals and Beverage Functions (4 – 3), provide chain (4 – 3), Siebel CRM (3 – 3), Large Knowledge Graph (1 – 1), and GraalVM (1 – 1).

Most of the fixes Oracle lists in every of the merchandise’ threat matrix deal with varied different vulnerabilities, some even tens of points. For example, the patch for CVE-2020-14734, a high-severity flaw within the textual content part of Database Server, additionally consists of fixes for 38 extra CVEs.

Oracle encourages clients to use the accessible patches to make sure their techniques stay protected. The corporate additionally notes that it continues to obtain stories of energetic focusing on of beforehand addressed points, underscoring the necessity for well timed patching.

“As a result of menace posed by a profitable assault, Oracle strongly recommends that clients apply Essential Patch Replace safety patches as quickly as doable. Till you apply the Essential Patch Replace patches, it might be doable to scale back the chance of profitable assault by blocking community protocols required by an assault,” Oracle notes.

Associated: Oracle’s July 2020 CPU Consists of 443 New Patches

Associated: Oracle’s April 2020 Essential Patch Replace Brings 397 Safety Fixes

Associated: Oracle’s January 2020 CPU Delivers 334 New Patches

Ionut Arghire is a global correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:

You May Also Like