Connect with us

Hi, what are you looking for?



Oracle’s April 2020 Critical Patch Update Brings 397 Security Fixes

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.

The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.

The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.

Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8. Around 90 vulnerabilities have a CVSS score of 8.0 or higher.

This month, E-Business Suite received the largest number of security patches, at 74, with 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none has a critical severity rating, most of them are considered high risk bugs (62 have a CVSS score of 8.1 or higher).

Oracle also addressed 51 vulnerabilities in Fusion Middleware, revealing that unauthenticated, remote attackers could abuse 44 of them. Of the total, 12 vulnerabilities are critical (CVSS score of 9.8), the software giant explains in its advisory.

Other highly impacted products include MySQL (with 45 security patches received, 9 for vulnerabilities that are remotely exploitable without authentication), Communications Applications (39 patches, 35 remotely exploitable bugs), Financial Services Applications (35 fixes, 16 remotely exploitable flaws), and Retail Applications (27 patches, 17 remotely exploitable issues).

Additionally, Oracle fixed security flaws in Virtualization (19 patches – 1 bug remotely exploitable without authentication), Knowledge (16 – 15), Java SE (15 – all remotely exploitable), PeopleSoft (14 – 10), Construction and Engineering (12 – 9), Systems (9 – 2), Database Server (8 – 2), and Enterprise Manager (7 – 5).

Advertisement. Scroll to continue reading.

Less impacted were GraalVM (5 patches – 2 vulnerabilities remotely exploitable without authentication), Supply Chain (4 – 3), JD Edwards (4 – 2), Hyperion (3 – none remotely exploitable), Health Sciences Applications (2 – 2), Support Tools (2 – 2), Utilities Applications (2 – 2), Secure Backup (1 – 1), and Food and Beverage Applications, Global Lifecycle Management, and Siebel CRM (each with 1 patch received, but not for remotely exploitable bugs).

Many of the fixes detailed in Oracle’s April 2020 Critical Patch Update advisory address various other vulnerabilities as well, the company says.

Customers are advised to apply the newly released security patches as soon as possible, to ensure they remain protected from attacks. Until fixes are installed, customers might want to consider blocking network protocols that attackers could use to target the addressed vulnerabilities.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company notes.

The next collection of security patches for the company’s products will be released on July 14. One other set of fixes is planned for October 20.

Related: Oracle VirtualBox, Adobe Reader, Windows Hacked at Pwn2Own 2020

Related: Oracle’s January 2020 CPU Delivers 334 New Patches

Related: Oracle’s October 2019 Critical Patch Update Includes 219 Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.