Oracle Critical Patch Update for October 2020 Now Available
Author: Simon Clarke, IaaS/DBA Practice Lead, Namos Solutions
It’s that time of the year again for the quarterly Critical Patch Update (CPU) to be released by Oracle. The recently released October 2020 CPU addresses multiple vulnerabilities across the Oracle product families.
Starting with this quarters CPU, Oracle are changing the reporting on vulnerabilities in third-party components which are not exploitable in the context of the Oracle products in which they are included. Before this change, the previous CPU advisories listed all updates for third-party components in the risk matrixes as Oracle products frequently include third-party components, typically open source libraries.
Oracle has found that many vulnerabilities in third-party components are not exploitable in the context of the Oracle product distributions that contain them, usually because the Oracle products never use the specific vulnerable functionality or expose it for customer use.
The security vulnerabilities addressed by this CPU relate to 402 new security patches across the Oracle product families. In addition, this CPU provides 19 updates for non-exploitable CVEs in third-party components.
We strongly recommend that customers apply the applicable CPU security patches as soon as possible.
A breakdown into some of the product areas that are pertinent to our customers:
- Oracle Database
- 30 new security updates.
- 7 of these updates apply to client-only deployments of the Oracle Database.
- The most severe CVSS Base Score reported for these Database vulnerabilities is 8.8.
- Oracle E-Business Suite
- 27 new security updates.
- 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
- The most severe CVSS Base Score reported for these E-Business Suite vulnerabilities is8.
- Oracle Enterprise Manager
- 11 new security updates.
- 10 of these Enterprise Manager vulnerabilities are remotely exploitable without authentication.
- The most severe CVSS Base Score reported for these Enterprise Manager vulnerabilities is 9.8.
- Oracle Fusion Middleware
- 46 new security updates.
- 36 of these Fusion Middleware vulnerabilities are remotely exploitable without authentication.
- The most severe CVSS Base Score reported for these Fusion Middleware vulnerabilities is 9.8.
- As these components can often to be Internet facing, it is highly recommended that these security updates are applied.
- Oracle Hyperion
- 9 new security updates.
- 1 of these vulnerabilities may be remotely exploitable without authentication.
- The most severe CVSS Base Score reported for these Hyperion vulnerabilities is 9.8.
- Oracle Java SE
- 8 new security updates.
- All of these vulnerabilities are remotely exploitable without authentication.
- The most severe CVSS Base Score reported for these Java SE vulnerabilities is 5.3.
Finally, here is a quick reminder of the CVSS (Common Vulnerability Scoring System) grading:
- The CVSS v3.1 Standard considers vulnerabilities with a CVSS Base Score between 9.0 and 10.0 to have a qualitative rating of “Critical.”
- Vulnerabilities with a CVSS Base Score between 7.0 and 8.9, have a qualitative rating of “High.”
About Namos Solutions
Namos Solutions are an award-winning Oracle OPN Modernised Partner specialising in the implementation and support of ERP, EPM and HCM business solutions, both in the Cloud and on-premise.
With global experience together with an impeccable track record, our business is built on our passion for delivering successful business transformation. Passion underpins everything we do at Namos – passionate about delivering beyond expectations, earning trust and building long-lasting relationships with our clients.
Although based in central London, we work wherever our clients need us to be. Many leading organisations located all over the world trust and rely on our expertise to deliver industry-leading business solutions. Namos customers can currently be found in the UK, Europe, Middle East, Asia Pacific, North America and Africa.