Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle’s April 2020 Critical Patch Update Brings 397 Security Fixes

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.

The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products.

The software giant also revealed that 264 of the addressed vulnerabilities could be exploited remotely without authentication.

Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8. Around 90 vulnerabilities have a CVSS score of 8.0 or higher.

This month, E-Business Suite received the largest number of security patches, at 74, with 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none has a critical severity rating, most of them are considered high risk bugs (62 have a CVSS score of 8.1 or higher).

Oracle also addressed 51 vulnerabilities in Fusion Middleware, revealing that unauthenticated, remote attackers could abuse 44 of them. Of the total, 12 vulnerabilities are critical (CVSS score of 9.8), the software giant explains in its advisory.

Other highly impacted products include MySQL (with 45 security patches received, 9 for vulnerabilities that are remotely exploitable without authentication), Communications Applications (39 patches, 35 remotely exploitable bugs), Financial Services Applications (35 fixes, 16 remotely exploitable flaws), and Retail Applications (27 patches, 17 remotely exploitable issues).

Additionally, Oracle fixed security flaws in Virtualization (19 patches – 1 bug remotely exploitable without authentication), Knowledge (16 – 15), Java SE (15 – all remotely exploitable), PeopleSoft (14 – 10), Construction and Engineering (12 – 9), Systems (9 – 2), Database Server (8 – 2), and Enterprise Manager (7 – 5).

Less impacted were GraalVM (5 patches – 2 vulnerabilities remotely exploitable without authentication), Supply Chain (4 – 3), JD Edwards (4 – 2), Hyperion (3 – none remotely exploitable), Health Sciences Applications (2 – 2), Support Tools (2 – 2), Utilities Applications (2 – 2), Secure Backup (1 – 1), and Food and Beverage Applications, Global Lifecycle Management, and Siebel CRM (each with 1 patch received, but not for remotely exploitable bugs).

Many of the fixes detailed in Oracle’s April 2020 Critical Patch Update advisory address various other vulnerabilities as well, the company says.

Customers are advised to apply the newly released security patches as soon as possible, to ensure they remain protected from attacks. Until fixes are installed, customers might want to consider blocking network protocols that attackers could use to target the addressed vulnerabilities.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company notes.

The next collection of security patches for the company’s products will be released on July 14. One other set of fixes is planned for October 20.

Related: Oracle VirtualBox, Adobe Reader, Windows Hacked at Pwn2Own 2020

Related: Oracle’s January 2020 CPU Delivers 334 New Patches

Related: Oracle’s October 2019 Critical Patch Update Includes 219 Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.