Oracle Critical Patch Update For April Contains 297 Fixes

Oracle fixes nearly 300 vulnerabilities in second Critical Patch Update for 2019, including bugs in WebLogic, Java SE and several product components.

Background

On April 16, Oracle released its Critical Patch Update for April 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains 297 fixes across a number of Oracle products.

Analysis

In its Critical Patch Update for April 2019, Oracle addressed several vulnerabilities (CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648, CVE-2019-2649, CVE-2019-2650) in Oracle WebLogic Server’s WLS Core Components and Web Services that were reported by security researcher Matthias Kaiser and could be exploited remotely without authentication.

This month’s release contains five security fixes for Oracle Java SE components like Windows DLL (CVE-2019-2699), 2D (CVE-2019-2697, CVE-2019-2698) as well as Oracle Java SE and Oracle Java SE Embedded libraries (CVE-2019-2602) and Remote Method Invocation (RMI) (CVE-2019-2684).

Additionally, this month’s release contains fixes for critical vulnerabilities in components including:

• CVE-2019-3772 (Spring Framework)
• CVE-2017-5645 (Apache Log4j)
• CVE-2018-19362 (FasterXML jackson-databind)
• CVE-2019-3822 (libcurl)
• CVE-2018-11219 (Redis)
• CVE-2018-11236 (glibc)
• CVE-2016-4000 (Jython)
• CVE-2015-3253 (Apache Groovy)

Once again, this quarter’s Critical Patch Update contained fixes for CVE-2016-1000031, the Apache Commons FileUpload Remote Code Execution vulnerability discovered by Tenable Research. This vulnerability was fixed across 10 different products/applications suites, including Oracle Communications Applications, Oracle Enterprise Manager Products Suite, and Oracle Fusion Middleware.

The following is a full list of products/applications with vulnerabilities addressed in the April 2019 Critical Patch Update:

• Oracle Database Server
• Oracle Berkeley DB
• Oracle Commerce
• Oracle Communications Applications
• Oracle Construction and Engineering Suite
• Oracle E-Business Suite
• Oracle Enterprise Manager Products Suite
• Oracle Financial Services Applications
• Oracle Food and Beverage Applications
• Oracle Fusion Middleware
• Oracle Health Sciences Applications
• Oracle Hospitality Applications
• Oracle Java SE
• Oracle JD Edwards Products
• Oracle MySQL
• Oracle PeopleSoft Products
• Oracle Retail Applications
• Oracle Siebel CRM
• Oracle Sun Systems Products
• Oracle Supply Chain Products
• Oracle Support Tools
• Oracle Utilities Applications
• Oracle Virtualization 

Solution

Customers are advised to apply all relevant patches provided by Oracle in this Critical Patch Update. Please refer to the April 2019 advisory for full details.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - April 2019
• Tenable Research Advisory for Apache Commons FileUpload (CVE-2016-1000031)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.