Alert

Oracle April 2020 CPU represents a double-digit increase in software patches

The April 2020 Oracle Critical Patch Update (CPU) includes 397 patches across Oracle’s product suite, an 18 percent hike over the January 2020 CPU and a 33% year-over-year increase. The CPU includes:

  • 15 patches for Java SE
  • 51 patches for Oracle Fusion Middleware
  • 74 patches for Oracle E-Business Suite
  • 16 patches for Oracle Knowledge

Although the April 2020 CPU preview mentioned a potential patch for the recently released Java 14, today’s Update does not include any fixes for Java 14.

 

Waratek’s Advice to Customers & Prospects
Waratek Patch and Waratek Upgrade customers will receive runtime virtual patches that address the Oracle CPU CVEs as part of their agreements. Virtual Patches can be deployed with no downtime to achieve instant protection. Some CVEs are also addressed in Waratek’s built-in CWE rules that offer active zero-day protection with zero tuning or configuration.

Non-customers should follow Oracle’s advice and apply the critical patch updates without delay.

 

Q2 CPU Java SE highlights

  • One hundred percent (100%) of the Java SE vulnerabilities may be exploited over a network without requiring user credentials.
  • Two (2) new deserialization vulnerabilities in Java SE are patched.
  • One (1) information disclosure vulnerability (CVE-2019-18197) in the native code of JavaFX affects only Java 8.
  • One (1) vulnerability (CVE-2020-2764) affects only Java Advanced Management Console.
  • Four vulnerabilities affect the Java Secure Socket Extension (JSSE) and affects applications via HTTPS

 

Regarding other Oracle products

  • Oracle Business Intelligence and Oracle Knowledge were patched against the infamous 4-year old CVE-2016-1000031 Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution deserialization vulnerability.
  • Fifteen (15) of the 16 CVEs in Oracle Knowledge may be exploited remotely.
  • Oracle Fusion Middleware was patched against 8 deserialization vulnerabilities.
  • Forty-four (44) of the Orcale Fusion Middleware CVEs can be remotely exploited.
  • Seventy (70) of the Oracle E-Business Suite vulnerabilities may be remotely exploitable without requiring user credentials.

Read the full Oracle CPU news release here.

Related alerts

CUSTOMER ALERT – CVE-2022-22963: Remote Code Execution in Spring Cloud Function

CUSTOMER ALERT – CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Java Vulnerability CVE-2013-5838 patched in 2013 re-emerges

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.

Book a demo
Start tour