Oracle has released its first Critical Patch Update (CPU) for 2020, which includes a total of 334 new security patches across multiple product families.
More than half (192) of the security fixes address vulnerabilities that can be exploited remotely without authentication, Oracle reveals in its advisory. Moreover, the company notes that 40 of the new patches address critical issues.
This month, Enterprise Manager was the most affected, with 50 patches issued for it, including 10 for vulnerabilities that could be remotely exploited without authentication. The most severe of these are two critical flaws in Enterprise Manager Ops Center and two more in Application Testing Suite.
According to Oracle, Enterprise Manager products also include Database and Fusion Middleware components that are affected by the vulnerabilities affecing Database and Fusion Middleware, and customers are advised to apply all patches to ensure they are protected.
A total of 38 vulnerabilities were addressed in Fusion Middleware this month, 30 of which are remotely exploitable without authentication. Some of the products are also affected by vulnerabilities associated with Database components, Oracle says.
The most severe of these vulnerabilities include one critical bug in Coherence and two critical flaws in WebLogic Server. All three can be exploited from the network.
Communication Applications received 25 security patches this month, 23 of which are remotely exploitable and do not require authentication. Six of the flaws are considered critical severity, impacting Instant Messaging Server, Interactive Session Recorder, IP Service Activator, Unified Inventory Management, and Diameter Signaling Router (DSR).
Of the 24 vulnerabilities Oracle addressed in Financial Services Applications this month, 6 are remotely exploitable without authentication and the same applies to 21 of the issues patched in E-Business Suite (two bugs impacting Human Resources are critical, with a CVSS score of 9.9).
The January 2020 CPU also fixes 22 flaws in Retail Applications, 14 of which are remotely exploitable without authentication. Eight of these flaws have critical severity, with a CVSS score of 9.8, and impact Assortment Planning, Clearance Optimization Engine, Customer Management and Segmentation Foundation, Markdown Optimization, Order Broker, and Sales Audit.
Of the 22 flaws addressed in Virtualization, 3 could be exploited by remote, unauthenticated attackers. The same applies to 6 of the 19 vulnerabilities patched in MySQL, to 8 of the 17 issues fixed in Systems, and to 12 of the 15 bugs patched in PeopleSoft.
Oracle addressed 12 vulnerabilities in Java SE with the January 2020 CPU, all of them remotely exploitable without authentication; 12 in Construction and Engineering, 8 exploitable by remote, unauthenticated attackers; and 12 in Database Server, 3 remotely exploitable.
Other impacted products include JD Edwards (9 vulnerabilities – 9 exploitable remotely without authentication), Supply Chain (8 flaws – 8 remotely exploitable), Siebel CRM (5 flaws – 5 remotely exploitable), GraalVM (5 – 3), Hospitality Applications (5 – 2), Utilities Applications (4 – 4), Health Sciences Applications (3 – 3), Hyperion (2 – 1), iLearning (1 – 1), and Food and Beverage Applications (1 – 0).
The fixes for nearly 50 issues address additional security flaws in Oracle products, so the total number of vulnerabilities patched by these updates is well above 334.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle notes.