Oracle’s April 2020 Critical Patch Update Brings 397 Security Fixes

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.

The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.

Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8. Around 90 vulnerabilities have a CVSS score of 8.0 or higher.

This month, E-Business Suite received the largest number of security patches, at 74, with 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none has a critical severity rating, most of them are considered high risk bugs (62 have a CVSS score of 8.1 or higher).

Oracle also addressed 51 vulnerabilities in Fusion Middleware, revealing that unauthenticated, remote attackers could abuse 44 of them. Of the total, 12 vulnerabilities are critical (CVSS score of 9.8), the software giant explains in its advisory.

Other highly impacted products include MySQL (with 45 security patches received, 9 for vulnerabilities that are remotely exploitable without authentication), Communications Applications (39 patches, 35 remotely exploitable bugs), Financial Services Applications (35 fixes, 16 remotely exploitable flaws), and Retail Applications (27 patches, 17 remotely exploitable issues).

Additionally, Oracle fixed security flaws in Virtualization (19 patches – 1 bug remotely exploitable without authentication), Knowledge (16 – 15), Java SE (15 – all remotely exploitable), PeopleSoft (14 – 10), Construction and Engineering (12 – 9), Systems (9 – 2), Database Server (8 – 2), and Enterprise Manager (7 – 5).

Less impacted were GraalVM (5 patches – 2 vulnerabilities remotely exploitable without authentication), Supply Chain (4 – 3), JD Edwards (4 – 2), Hyperion (3 – none remotely exploitable), Health Sciences Applications (2 – 2), Support Tools (2 – 2), Utilities Applications (2 – 2), Secure Backup (1 – 1), and Food and Beverage Applications, Global Lifecycle Management, and Siebel CRM (each with 1 patch received, but not for remotely exploitable bugs).

Many of the fixes detailed in Oracle’s April 2020 Critical Patch Update advisory address various other vulnerabilities as well, the company says.

Customers are advised to apply the newly released security patches as soon as possible, to ensure they remain protected from attacks. Until fixes are installed, customers might want to consider blocking network protocols that attackers could use to target the addressed vulnerabilities.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company notes.

The next collection of security patches for the company’s products will be released on July 14. One other set of fixes is planned for October 20.

Related: Oracle VirtualBox, Adobe Reader, Windows Hacked at Pwn2Own 2020

Related: Oracle’s January 2020 CPU Delivers 334 New Patches

Related: Oracle’s October 2019 Critical Patch Update Includes 219 Fixes