Oracle has released 397 new security patches as a part of their quarterly update cycle, out of which 262 vulnerabilities are remotely exploitable without user authentication.
Oracle MySQL received 45 security patches of which 9 of the vulnerabilities allow an attacker to remotely exploit machines without the need for user authentication. A few CVE’s if successfully exploited can result in unauthorized access to MySQL workbench data. CVE-2019-15601, CVE-2019-1547 affects ‘OpenSSL‘ and ‘Compiling‘ component of MySQL Workbench.
Oracle Java SE received 15 security patches. All the 15 vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack Complexity. Many CVEs have been rated highest in the list.
Oracle VM VirtualBox received 11 security patches. only 1 of the vulnerabilities can be exploited remotely without authentication. Most of the CVEs are rated high and affect the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation can lead to a takeover of Oracle VM VirtualBox.
Oracle Critical Patch Update April 2020 Summary
Oracle Database Server
Affected Components: Java VM, Oracle Multimedia, WLM (Apache Tomcat), Core RDBMS, Oracle Text, Oracle Application Express, RDBMS/Optimizer
CVEs : CVE-2016-10251, CVE-2019-17563, CVE-2020-2737, CVE-2019-2853, CVE-2016-7103, CVE-2020-2514, CVE-2020-2734, CVE-2020-2735
Oracle Global Lifecycle Management
Products: Oracle Global Lifecycle Management OPatch
Affected Components: Patch Installer
CVEs: CVE-2019-20330
Oracle Secure Backup
Products: Oracle Secure Backup
Affected Components: PHP
CVEs: CVE-2018-5712
Oracle Communications Applications
Products: Oracle Communications ASAP Cartridges, Oracle Communications Calendar Server, Oracle Communications Converged Application Server – Service Controller, Oracle Communications Diameter Signaling Router (DSR), Oracle Communications Element Manager, Oracle Communications Evolved Communications Application Server, Oracle Communications Messaging Server, Oracle Communications Operations Monitor, Oracle Communications Service Broker, Oracle Communications Services Gatekeeper, Oracle Communications Session Report Manager, Oracle Communications Session Route Manager, Oracle Communications Unified Inventory Management, Oracle Communications WebRTC Session Controller, Oracle SD-WAN Edge
CVEs : CVE-2015-3253, CVE-2016-4000, CVE-2017-12626, CVE-2018-1000180, CVE-2018-15756, CVE-2018-20852, CVE-2018-8039, CVE-2019-0211, CVE-2019-0222, CVE-2019-0227, CVE-2019-10072, CVE-2019-10082, CVE-2019-10088, CVE-2019-1010238, CVE-2019-10247, CVE-2019-11358, CVE-2019-14379, CVE-2019-14821, CVE-2019-15163, CVE-2019-16943, CVE-2019-2729, CVE-2019-2904, CVE-2019-5482
Oracle Construction and Engineering
Products: Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components: Admin (Apache Commons Beanutils), Admin (Apache Commons Compress), Admin (Connect2id Nimbus JOSE+JWT), Admin (jackson-databind), Generic (Apache HTTP Server), Generic (Apache Tomcat), Infrastructure (Quartz), Infrastructure (jackson-databind), Logging (Log4j), Office Open document processor (Apache POI), Project Manager
CVEs : CVE-2017-5645, CVE-2019-10082, CVE-2019-10086, CVE-2019-12402, CVE-2019-12415, CVE-2019-13990, CVE-2019-16943, CVE-2019-17195, CVE-2019-17563, CVE-2020-2594, CVE-2020-2706
Oracle E-Business Suite
Products: Oracle Advanced Outbound Telephony, Oracle Applications Framework, Oracle CRM Gateway for Mobile Devices, Oracle CRM Technical Foundation, Oracle Common Applications Calendar, Oracle Customer Interaction History, Oracle Depot Repair, Oracle Document Management and Collaboration, Oracle E-Business Intelligence, Oracle Email Center, Oracle General Ledger, Oracle Human Resources, Oracle Knowledge Management, Oracle Learning Management, Oracle Marketing, Oracle Marketing Encyclopedia System, Oracle One-to-One Fulfillment, Oracle Partner Management, Oracle Quoting, Oracle Scripting, Oracle Service Intelligence, Oracle Trade Management, Oracle Universal Work Queue, Oracle Workflow, Oracle iStore, Oracle iSupplier Portal, Oracle iSupport
CVEs : CVE-2020-2750, CVE-2020-2753, CVE-2020-2772, CVE-2020-2789, CVE-2020-2794, CVE-2020-2796, CVE-2020-2807 to CVE-2020-2810, CVE-2020-2813, CVE-2020-2815, CVE-2020-2817 to CVE-2020-2827, CVE-2020-2831 to CVE-2020-2850, CVE-2020-2852, CVE-2020-2854 to CVE-2020-2858, CVE-2020-2860 to CVE-2020-2864, CVE-2020-2866, CVE-2020-2870 to CVE-2020-2874, CVE-2020-2876 to CVE-2020-2882, CVE-2020-2885 to CVE-2020-2890, CVE-2020-2956
Oracle Enterprise Manager
Products: Enterprise Manager Base Platform, Oracle Real User Experience Insight, Oracle Application Testing Suite, Application Service Level Management
Affected Components: Discovery Framework (OpenSSL), Discovery Framework (Oracle OHS), EM Request Monitoring, Install (Perl), Oracle Flow Builder (Apache Axis), Processing (Oracle Instant Client), Service Level Agreements (jQuery)
CVEs : CVE-2018-11058, CVE-2018-18311, CVE-2019-0227, CVE-2019-11358, CVE-2019-1543, CVE-2020-2946, CVE-2020-2961
Oracle Financial Services Applications
Products : Oracle Banking Enterprise Collections, Oracle Banking Enterprise Originations, Oracle Banking Enterprise Product Manufacturing, Oracle Banking Platform, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Asset Liability Management, Oracle Financial Services Balance Sheet Planning, Oracle Financial Services Data Foundation, Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, Oracle Financial Services Funds Transfer Pricing, Oracle Financial Services Hedge Management and IFRS Valuations, Oracle Financial Services Liquidity Risk Management, Oracle Financial Services Liquidity Risk Measurement and Management, Oracle Financial Services Loan Loss Forecasting and Provisioning, Oracle Financial Services Market Risk Measurement and Management, Oracle Financial Services Price Creation and Discovery, Oracle Financial Services Profitability Management, Oracle Financial Services Revenue Management and Billing Analytics, Oracle FLEXCUBE Core Banking, Oracle FLEXCUBE Private Banking, Oracle Insurance Accounting Analyzer
CVEs : CVE-2017-12626, CVE-2019-0227, CVE-2019-10088, CVE-2019-10247, CVE-2019-12415, CVE-2019-12419, CVE-2019-13990, CVE-2019-16943, CVE-2019-17091, CVE-2019-17359, CVE-2019-2904, CVE-2020-2793, CVE-2020-2891, CVE-2020-2935 to CVE-2020-2943, CVE-2020-2945, CVE-2020-2955, CVE-2020-2964
Oracle Food and Beverage Applications
Affected Components: Oracle Hospitality Reporting and Analytics
CVEs: CVE-2020-2746
Oracle Fusion Middleware
Products: Identity Manager Connector, Oracle Access Manager, Oracle API Gateway, Oracle Big Data Discovery, Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle Endeca Information Discovery Integrator, Oracle Endeca Server, Oracle Fusion Middleware MapViewer, Oracle Global Lifecycle Management NextGen OUI Framework, Oracle HTTP Server, Oracle Managed File Transfer, Oracle Outside In Technology, Oracle SOA Suite, Oracle Unified Directory, Oracle WebCenter Portal, Oracle WebCenter Sites, Oracle WebLogic Server
CVEs : CVE-2015-7940, CVE-2016-1000031, CVE-2016-10328, CVE-2017-12626, CVE-2017-5130, CVE-2018-15756, CVE-2018-20622, CVE-2018-20843, CVE-2019-0222, CVE-2019-10088, CVE-2019-10247, CVE-2019-11358, CVE-2019-12415, CVE-2019-13990, CVE-2019-1547, CVE-2019-15903, CVE-2019-16168, CVE-2019-16943, CVE-2019-17359, CVE-2019-17571, CVE-2020-2739, CVE-2020-2740, CVE-2020-2745, CVE-2020-2747, CVE-2020-2766, CVE-2020-2783, CVE-2020-2784, CVE-2020-2785, CVE-2020-2786, CVE-2020-2787, CVE-2020-2798, CVE-2020-2801, CVE-2020-2811, CVE-2020-2828, CVE-2020-2829, CVE-2020-2867, CVE-2020-2869, CVE-2020-2883, CVE-2020-2884, CVE-2020-2915, CVE-2020-2949, CVE-2020-2950, CVE-2020-2952
Oracle GraalVM
Products: Oracle GraalVM Enterprise Edition
Affected Components: Java, GraalVM Compiler, Tools, JavaScript (Node.js)
CVEs : CVE-2019-15606, CVE-2020-2799, CVE-2020-2802, CVE-2020-2803, CVE-2020-2900
Oracle Health Sciences Applications
Products: Oracle GraalVM Enterprise Edition
Affected Components: Installation (Eclipse Mojarra), Policy Engine (Eclipse Mojarra)
CVEs: CVE-2019-170910
Oracle Hyperion Risk
Products: Hyperion Financial Management, Hyperion Financial Reporting
Affected Components: Security, Security (Application Development Framework), Web Based Report Designer
CVEs : CVE-2020-2769, CVE-2020-2770, CVE-2020-2899
Oracle Java SE
Products: Java SE, Java SE, Java SE Embedded
Affected Components : Advanced Management Console, Concurrency, JavaFX (libxslt), JSSE, Libraries, Lightweight HTTP Server, Scripting, Security, Serialization
CVEs : CVE-2019-18197, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2764, CVE-2020-2767, CVE-2020-2773, CVE-2020-2778, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805, CVE-2020-2816, CVE-2020-2830
Oracle JD Edwards
Products: JD Edwards EnterpriseOne Tools, JD Edwards World Security
Affected Components: Monitoring and Diagnostics, Enterprise Infrastructure Security (Oracle Security Service), Enterprise Infrastructure Security (OpenSSL), World Software Security (OpenSSL)
CVEs : CVE-2019-1547, CVE-2020-2733, CVE-2018-11058
Oracle Knowledge
Products: Oracle Knowledge
Affected Components: Answer Flow (jQuery), Information Manager Console, Information Manager Console (Apache Axis), Information Manager Console (Apache Standard Taglibs), Information Manager Console (Apache Tika), Information Manager Console, Web Applications – InfoCenter (Apache Commons FileUpload), Information Manager Console, Web Applications – InfoCenter (jQuery), InQuira Search, Web Applications – InfoCenter, Web Applications – InfoCenter (AntiSamy), Web Applications – InfoCenter (Apache Commons Fileupload), Web Applications – InfoCenter (Apache Derby)
CVEs : CVE-2015-0254, CVE-2015-1832, CVE-2015-9251, CVE-2016-1000031, CVE-2016-3092, CVE-2017-14735, CVE-2018-17197, CVE-2019-0227, CVE-2019-11358, CVE-2020-2522, CVE-2020-2524, CVE-2020-2553, CVE-2020-2791, CVE-2020-2795, CVE-2020-2931, CVE-2020-2932
Oracle MySQL
Products: MySQL Client, MySQL Cluster, MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench
CVEs : CVE-2019-14889, CVE-2019-1547, CVE-2019-15601, CVE-2019-17563, CVE-2019-19646, CVE-2019-5482, CVE-2020-2752, CVE-2020-2759 to CVE-2020-2763, CVE-2020-2765, CVE-2020-2768, CVE-2020-2770, CVE-2020-2774, CVE-2020-2779, CVE-2020-2780, CVE-2020-2790, CVE-2020-2804, CVE-2020-2806, CVE-2020-2812, CVE-2020-2814, CVE-2020-2853, CVE-2020-2875, CVE-2020-2892, CVE-2020-2893, CVE-2020-2895, CVE-2020-2896, CVE-2020-2897, CVE-2020-2898, CVE-2020-2901, CVE-2020-2903, CVE-2020-2904, CVE-2020-2921 to CVE-2020-2926, CVE-2020-2928, CVE-2020-2930, CVE-2020-2933, CVE-2020-2934
Oracle PeopleSoft
Products: PeopleSoft Enterprise CS Campus Community, PeopleSoft Enterprise HCM Absence Management, PeopleSoft Enterprise HRMS, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise SCM Purchasing
Affected Components: Absence Management, Candidate Gateway, Diagnostic Framework, nVision, Portal, Process Scheduler, Purchasing, Query, Security, Security (Bouncy Castle Java Library), Self-Service, Supplier Change, Tools Admin API (Apache Axis)
CVEs : CVE-2019-0227, CVE-2019-17359, CVE-2020-2751, CVE-2020-2775, CVE-2020-2776, CVE-2020-2782, CVE-2020-2797, CVE-2020-2859, CVE-2020-2868, CVE-2020-2899, CVE-2020-2906, CVE-2020-2912, CVE-2020-2947, CVE-2020-2954
Oracle Retail Applications
Products: MICROS Relate CRM Software, Oracle Retail Advanced Inventory Planning, Oracle Retail Back Office, Oracle Retail Central Office, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Merchandising System, Oracle Retail Order Broker, Oracle Retail Point-of-Service, Oracle Retail Predictive Application Server, Oracle Retail Returns Management, Oracle Retail Store Inventory Management, Oracle Retail Xstore Point of Service
CVEs : CVE-2017-12626, CVE-2017-3160, CVE-2017-5533, CVE-2017-5645, CVE-2018-10237, CVE-2018-11058, CVE-2018-11797, CVE-2018-1258, CVE-2019-0227, CVE-2019-10072, CVE-2019-10082, CVE-2019-10086, CVE-2019-10173, CVE-2019-13990, CVE-2019-17091, CVE-2019-17359, CVE-2019-17563, CVE-2019-2880, CVE-2020-2953, CVE-2020-5398
Oracle Siebel CRM
Products: Siebel UI Framework
Affected Components: EAI, SWSE
CVEs: CVE-2020-2738
Oracle Supply Chain
Products: Oracle Agile PLM, Oracle Configurator, Oracle In-Memory Performance-Driven Planning, Oracle Transportation Management
Affected Components: User Interface (Log4j), Security, Installation
CVEs : CVE-2017-5645, CVE-2020-2744, CVE-2020-2865, CVE-2020-2920
Oracle Systems
Products: Oracle Solaris, StorageTek Tape Analytics SW Tool, Sun ZFS Storage Appliance Kit
Affected Components: Application Server (Oracle WebLogic Server), Common Desktop Environment, Operating System Image, SMB Server Kernel Module, SMF command svcbundle, Software (jQuery), Whodo
CVEs : CVE-2018-1165, CVE-2019-11358, CVE-2019-2729, CVE-2020-2749, CVE-2020-2771, CVE-2020-2851, CVE-2020-2927, CVE-2020-2944
Oracle Support Tools
Products: OSS Support Tools
Affected Components: Services Tools Bundle (cURL)
CVEs : CVE-2019-5482, CVE-2019-15601
Oracle Utilities Applications
Products: Oracle Utilities Framework, Oracle Utilities Network Management System
Affected Components: Common (Dom4J), Upload (Apache POI)
CVEs : CVE-2018-1000632, CVE-2017-12626
Oracle Virtualization
Products: Oracle VM VirtualBox
Affected Components: Core
CVEs : CVE-2020-2741, CVE-2020-2742, CVE-2020-2743, CVE-2020-2748, CVE-2020-2758, CVE-2020-2894, CVE-2020-2902, CVE-2020-2905, CVE-2020-2907 to CVE-2020-2911, CVE-2020-2913, CVE-2020-2914, CVE-2020-2929, CVE-2020-2951, CVE-2020-2958, CVE-2020-2959