Oracle’s October 2020 CPU Contains 402 New Security Patches

Oracle on Tuesday released its Critical Patch Update (CPU) for October 2020, which includes 402 new security patches released across the company’s product portfolio.

The advisory for the latest CPU includes information on the patches released after the previous CPU, but the patches are typically cumulative, Oracle notes. Thus, customers are advised to review information on previously released patches, to ensure their systems are protected.

This month, Oracle released two versions of the advisory: a new one where details on patches for security flaws in third-party components that are not exploitable as implemented in Oracle products are listed beneath the product’s risk matrix, and the traditional advisory (which mentions a total of 421 patches).

More than half of the 402 new security patches included in this month’s CPU can be exploited remotely without authentication.

More than 80 of the patches address critical-severity bugs, most of them with CVSS scores of 9.8. Two of them, namely CVE-2020-1953, impacting Healthcare Foundation, and CVE-2020-14871, affecting Solaris, have CVSS scores of 10.

Oracle products that saw the highest number of new security patches are Financial Services Applications: 53 patches – 49 of the vulnerabilities can be exploited by remote, unauthenticated attackers; MySQL: 53 fixes – 4 bugs remotely exploitable without the need of credentials; Communications: 52 patches – 41 remotely exploitable flaws; and Fusion Middleware: 46 patches – 36 vulnerabilities exploitable remotely without authentication.

Next in line are Retail Applications (28 patches – 25 flaws exploitable remotely without credentials), E-Business Suite (27 fixes – 25 remotely exploitable bugs), Database Server (18 – 4), PeopleSoft (15 – 12), Enterprise Manager (11 – 10), Communications Applications (9 – 8), Construction and Engineering (9 – 7), Hyperion (9 – 1), Java SE (8 – 8), Systems (8 – 3), Virtualization (7 – 0), Insurance Applications (6 – 6), Policy Automation (6 – 6), and Hospitality Applications (6 – 3).

Products that saw less than five new patches this month include Utilities Applications (5 – 3 vulnerabilities exploitable by remote, unauthenticated attackers), REST Data Services (5 – 2), Health Sciences Applications (4 – 4), TimesTen In-Memory Database (4 – 4), Food and Beverage Applications (4 – 3), Supply Chain (4 – 3), Siebel CRM (3 – 3), Big Data Graph (1 – 1), and GraalVM (1 – 1).

Many of the fixes Oracle lists in each of the products’ risk matrix address various other vulnerabilities, some even tens of issues. For instance, the patch for CVE-2020-14734, a high-severity flaw in the Text component of Database Server, also includes fixes for 38 additional CVEs.

Oracle encourages customers to apply the available patches to ensure their systems remain protected. The company also notes that it continues to receive reports of active targeting of previously addressed issues, underscoring the need for timely patching.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle notes.

Related: Oracle’s July 2020 CPU Includes 443 New Patches

Related: Oracle’s April 2020 Critical Patch Update Brings 397 Security Fixes

Related: Oracle’s January 2020 CPU Delivers 334 New Patches