Oracle April 2020 CPU represents a double-digit increase in software patches

By April 15, 2020 News, Patching, Technical

The April 2020 Oracle Critical Patch Update (CPU) includes 397 patches across Oracle’s product suite, an 18 percent hike over the January 2020 CPU and a 33% year-over-year increase. The CPU includes:

  • 15 patches for Java SE
  • 51 patches for Oracle Fusion Middleware
  • 74 patches for Oracle E-Business Suite
  • 16 patches for Oracle Knowledge

Although the April 2020 CPU preview mentioned a potential patch for the recently released Java 14, today’s Update does not include any fixes for Java 14.

Waratek’s Advice to Customers & Prospects

Waratek Patch and Waratek Upgrade customers will receive runtime virtual patches that address the Oracle CPU CVEs as part of their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.

Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.

Q2 CPU Java SE highlights

  • One hundred percent (100%) of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
  • Two (2) new deserialization vulnerabilities in Java SE are patched.
  • One (1) information disclosure vulnerability (CVE-2019-18197) in the native code of JavaFX affects only Java 8.
  • One (1) vulnerability (CVE-2020-2764) affects only Java Advanced Management Console.
  • Four vulnerabilities affect the Java Secure Socket Extension (JSSE) and affects applications via HTTPS

 Regarding other Oracle products

  • Oracle Business Intelligence and Oracle Knowledge were patched against the infamous 4-year old CVE-2016-1000031 Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution deserialization vulnerability.
  • Fifteen (15) of the 16 CVEs in Oracle Knowledge may be exploited remotely.
  • Oracle Fusion Middleware was patched against 8 deserialization vulnerabilities.
  • Forty-four (44) of the Orcale Fusion Middleware CVEs can be remotely exploited.
  • Seventy (70) of the Oracle E-Business Suite vulnerabilities may be remotely exploitable without requiring user credentials.

Read the full Oracle CPU news release here.

Waratek

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek
X