Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.
The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.
Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8. Around 90 vulnerabilities have a CVSS score of 8.0 or higher.
This month, E-Business Suite received the largest number of security patches, at 74, with 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none has a critical severity rating, most of them are considered high risk bugs (62 have a CVSS score of 8.1 or higher).
Oracle also addressed 51 vulnerabilities in Fusion Middleware, revealing that unauthenticated, remote attackers could abuse 44 of them. Of the total, 12 vulnerabilities are critical (CVSS score of 9.8), the software giant explains in its advisory.
Other highly impacted products include MySQL (with 45 security patches received, 9 for vulnerabilities that are remotely exploitable without authentication), Communications Applications (39 patches, 35 remotely exploitable bugs), Financial Services Applications (35 fixes, 16 remotely exploitable flaws), and Retail Applications (27 patches, 17 remotely exploitable issues).
Additionally, Oracle fixed security flaws in Virtualization (19 patches – 1 bug remotely exploitable without authentication), Knowledge (16 – 15), Java SE (15 – all remotely exploitable), PeopleSoft (14 – 10), Construction and Engineering (12 – 9), Systems (9 – 2), Database Server (8 – 2), and Enterprise Manager (7 – 5).
Less impacted were GraalVM (5 patches – 2 vulnerabilities remotely exploitable without authentication), Supply Chain (4 – 3), JD Edwards (4 – 2), Hyperion (3 – none remotely exploitable), Health Sciences Applications (2 – 2), Support Tools (2 – 2), Utilities Applications (2 – 2), Secure Backup (1 – 1), and Food and Beverage Applications, Global Lifecycle Management, and Siebel CRM (each with 1 patch received, but not for remotely exploitable bugs).
Many of the fixes detailed in Oracle’s April 2020 Critical Patch Update advisory address various other vulnerabilities as well, the company says.
Customers are advised to apply the newly released security patches as soon as possible, to ensure they remain protected from attacks. Until fixes are installed, customers might want to consider blocking network protocols that attackers could use to target the addressed vulnerabilities.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company notes.
The next collection of security patches for the company’s products will be released on July 14. One other set of fixes is planned for October 20.
Related: Oracle VirtualBox, Adobe Reader, Windows Hacked at Pwn2Own 2020
Related: Oracle’s January 2020 CPU Delivers 334 New Patches
Related: Oracle’s October 2019 Critical Patch Update Includes 219 Fixes

More from Ionut Arghire
- Vulnerability Provided Access to Toyota Supplier Management Network
- Linux Variant of Cl0p Ransomware Emerges
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
Latest News
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
