Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle’s October 2020 CPU Contains 402 New Security Patches

Oracle on Tuesday released its Critical Patch Update (CPU) for October 2020, which includes 402 new security patches released across the company’s product portfolio.

Oracle on Tuesday released its Critical Patch Update (CPU) for October 2020, which includes 402 new security patches released across the company’s product portfolio.

The advisory for the latest CPU includes information on the patches released after the previous CPU, but the patches are typically cumulative, Oracle notes. Thus, customers are advised to review information on previously released patches, to ensure their systems are protected.

This month, Oracle released two versions of the advisory: a new one where details on patches for security flaws in third-party components that are not exploitable as implemented in Oracle products are listed beneath the product’s risk matrix, and the traditional advisory (which mentions a total of 421 patches).

More than half of the 402 new security patches included in this month’s CPU can be exploited remotely without authentication.

More than 80 of the patches address critical-severity bugs, most of them with CVSS scores of 9.8. Two of them, namely CVE-2020-1953, impacting Healthcare Foundation, and CVE-2020-14871, affecting Solaris, have CVSS scores of 10.

Oracle products that saw the highest number of new security patches are Financial Services Applications: 53 patches – 49 of the vulnerabilities can be exploited by remote, unauthenticated attackers; MySQL: 53 fixes – 4 bugs remotely exploitable without the need of credentials; Communications: 52 patches – 41 remotely exploitable flaws; and Fusion Middleware: 46 patches – 36 vulnerabilities exploitable remotely without authentication.

Next in line are Retail Applications (28 patches – 25 flaws exploitable remotely without credentials), E-Business Suite (27 fixes – 25 remotely exploitable bugs), Database Server (18 – 4), PeopleSoft (15 – 12), Enterprise Manager (11 – 10), Communications Applications (9 – 8), Construction and Engineering (9 – 7), Hyperion (9 – 1), Java SE (8 – 8), Systems (8 – 3), Virtualization (7 – 0), Insurance Applications (6 – 6), Policy Automation (6 – 6), and Hospitality Applications (6 – 3).

Products that saw less than five new patches this month include Utilities Applications (5 – 3 vulnerabilities exploitable by remote, unauthenticated attackers), REST Data Services (5 – 2), Health Sciences Applications (4 – 4), TimesTen In-Memory Database (4 – 4), Food and Beverage Applications (4 – 3), Supply Chain (4 – 3), Siebel CRM (3 – 3), Big Data Graph (1 – 1), and GraalVM (1 – 1).

Advertisement. Scroll to continue reading.

Many of the fixes Oracle lists in each of the products’ risk matrix address various other vulnerabilities, some even tens of issues. For instance, the patch for CVE-2020-14734, a high-severity flaw in the Text component of Database Server, also includes fixes for 38 additional CVEs.

Oracle encourages customers to apply the available patches to ensure their systems remain protected. The company also notes that it continues to receive reports of active targeting of previously addressed issues, underscoring the need for timely patching.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle notes.

Related: Oracle’s July 2020 CPU Includes 443 New Patches

Related: Oracle’s April 2020 Critical Patch Update Brings 397 Security Fixes

Related: Oracle’s January 2020 CPU Delivers 334 New Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.