Connect with us

Hi, what are you looking for?



Oracle’s January 2020 CPU Delivers 334 New Patches

Oracle has released its first Critical Patch Update (CPU) for 2020, which includes a total of 334 new security patches across multiple product families.

Oracle has released its first Critical Patch Update (CPU) for 2020, which includes a total of 334 new security patches across multiple product families.

More than half (192) of the security fixes address vulnerabilities that can be exploited remotely without authentication, Oracle reveals in its advisory. Moreover, the company notes that 40 of the new patches address critical issues.

This month, Enterprise Manager was the most affected, with 50 patches issued for it, including 10 for vulnerabilities that could be remotely exploited without authentication. The most severe of these are two critical flaws in Enterprise Manager Ops Center and two more in Application Testing Suite.

According to Oracle, Enterprise Manager products also include Database and Fusion Middleware components that are affected by the vulnerabilities affecing Database and Fusion Middleware, and customers are advised to apply all patches to ensure they are protected.

A total of 38 vulnerabilities were addressed in Fusion Middleware this month, 30 of which are remotely exploitable without authentication. Some of the products are also affected by vulnerabilities associated with Database components, Oracle says.

The most severe of these vulnerabilities include one critical bug in Coherence and two critical flaws in WebLogic Server. All three can be exploited from the network.

Communication Applications received 25 security patches this month, 23 of which are remotely exploitable and do not require authentication. Six of the flaws are considered critical severity, impacting Instant Messaging Server, Interactive Session Recorder, IP Service Activator, Unified Inventory Management, and Diameter Signaling Router (DSR).

Of the 24 vulnerabilities Oracle addressed in Financial Services Applications this month, 6 are remotely exploitable without authentication and the same applies to 21 of the issues patched in E-Business Suite (two bugs impacting Human Resources are critical, with a CVSS score of 9.9).

Advertisement. Scroll to continue reading.

The January 2020 CPU also fixes 22 flaws in Retail Applications, 14 of which are remotely exploitable without authentication. Eight of these flaws have critical severity, with a CVSS score of 9.8, and impact Assortment Planning, Clearance Optimization Engine, Customer Management and Segmentation Foundation, Markdown Optimization, Order Broker, and Sales Audit.

Of the 22 flaws addressed in Virtualization, 3 could be exploited by remote, unauthenticated attackers. The same applies to 6 of the 19 vulnerabilities patched in MySQL, to 8 of the 17 issues fixed in Systems, and to 12 of the 15 bugs patched in PeopleSoft.

Oracle addressed 12 vulnerabilities in Java SE with the January 2020 CPU, all of them remotely exploitable without authentication; 12 in Construction and Engineering, 8 exploitable by remote, unauthenticated attackers; and 12 in Database Server, 3 remotely exploitable.

Other impacted products include JD Edwards (9 vulnerabilities – 9 exploitable remotely without authentication), Supply Chain (8 flaws – 8 remotely exploitable), Siebel CRM (5 flaws – 5 remotely exploitable), GraalVM (5 – 3), Hospitality Applications (5 – 2), Utilities Applications (4 – 4), Health Sciences Applications (3 – 3), Hyperion (2 – 1), iLearning (1 – 1), and Food and Beverage Applications (1 – 0).

The fixes for nearly 50 issues address additional security flaws in Oracle products, so the total number of vulnerabilities patched by these updates is well above 334.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle notes.

Related: Oracle’s October 2019 Critical Patch Update Includes 219 Fixes

Related: Oracle’s July 2019 CPU Includes 319 Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.