Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle Critical Patch Update for July 2020 Tops Previous Record with 443 Security Updates

Oracle’s third Critical Patch Update of 2020 contains a record-breaking 443 security patches addressing 284 CVEs, including critical vulnerabilities in Oracle Communications Applications and Oracle Fusion Middleware products.

Update July 20, 2020: A proof of concept script has become publicly available for CVE-2020-14645. The proof of concept section of our blog has been updated accordingly.

Background

On July 14, Oracle released the Critical Patch Update (CPU) Advisory for July 2020 as part of their quarterly release of security patches. This update contains fixes for 284 CVEs in 443 security patches across 29 Oracle product families. This quarter’s update continues an upward trend, overtaking the previous Oracle CPU patch record set by April 2020's update.

Analysis

This quarter’s CPU includes more than 30 critically rated CVEs across a wide range of Oracle products. The following is the full list of product families with vulnerabilities addressed in this month’s release along with the number of patches released and vulnerabilities that are remotely exploitable without authentication.

Oracle Product Family Number of Patches Remote Exploit without Auth
Oracle Communications Applications 60 46
Oracle Fusion Middleware 52 48
Oracle Retail Applications 47 42
Oracle MySQL 40 6
Oracle Financial Services Applications 38 26
Oracle E-Business Suite 30 24
Oracle Virtualization 25 0
Oracle Supply Chain 22 18
Oracle Construction and Engineering 20 15
Oracle Database Server 19 1
Oracle Enterprise Manager 14 10
Oracle Java SE 11 11
Oracle PeopleSoft 11 9
Oracle Systems 7 1
Oracle Insurance Applications 6 4
Oracle JD Edwards 6 6
Oracle Siebel CRM 5 5
Oracle Commerce 4 3
Oracle Food and Beverage Applications 4 0
Oracle GraalVM 4 3
Oracle Health Sciences Applications 4 4
Oracle Berkeley DB 3 0
Oracle GoldenGate 3 1
Oracle Hyperion 3 0
Oracle Global Lifecycle Management 1 0
Oracle TimesTen In-Memory Database 1 0
Oracle Hospitality Applications 1 1
Oracle iLearning 1 1
Oracle Utilities Applications 1 1

Notable Vulnerabilities

Considering the large number of patches released in this quarter’s CPU, it may be hard to digest, filter and prioritize these vulnerabilities. However, a few notable vulnerabilities stand out due to their criticality and potential for being targeted by attackers.

CVE-2020-14701 and CVE-2020-14706 | Oracle Communications Applications SD-WAN Aware / Edge Vulnerabilities

CVE-2020-14701 and CVE-2020-14706 are vulnerabilities in the User Interface component of the Oracle Communications Applications SD-WAN Aware and SD-WAN Edge products respectively. Oracle has highlighted these vulnerabilities as “easily exploitable” as they allow an unauthenticated attacker with network access via the Hypertext Transfer Protocol (HTTP) to compromise SD-WAN Aware and SD-WAN Edge.

Successful exploitation of these vulnerabilities would result in a complete takeover of SD-WAN Aware and SD-WAN Edge. While the vulnerabilities are in these products, Oracle has noted that “attacks may significantly impact additional products.” These are the only details currently available from Oracle, though the company has assigned both vulnerabilities a CVSSv3.1 score of 10.0, the highest score possible, suggesting easy exploitability with potentially significant impact, making them important vulnerabilities to prioritize.

CVE-2020-14625, CVE-2020-14644, CVE-2020-14645 and CVE-2020-14687 | Oracle Fusion Middleware WebLogic Server Vulnerabilities

CVE-2020-14625, CVE-2020-14644, CVE-2020-14645, and CVE-2020-14687 are vulnerabilities in the Core component of the Oracle WebLogic product of Oracle Fusion Middleware. Oracle has highlighted these vulnerabilities as “easily exploitable” as they allow an unauthenticated attacker with network access via Oracle’s T3 and Internet Inter-ORB Protocol (IIOP) to compromise the server.

Successful exploitation of these vulnerabilities would allow an attacker to gain full control over the Oracle WebLogic Server. Given their ease of exploitation, Oracle has assigned these vulnerabilities a critical CVSSv3.1 score of 9.8. Oracle WebLogic vulnerabilities regularly appear in the quarterly CPU advisories and historically have been prime targets for exploitation. Less than one month after the April 2020 CPU, CVE-2020-2883, an Oracle WebLogic vulnerability, was reported as exploited in the wild. This prompted Oracle to release a separate alert urging people to patch as soon as possible.

Proof of Concept

Security researcher “Y4er” published a PoC to a GitHub repository on July 19 for CVE-2020-14645. Y4er is also responsible for publishing a PoC for CVE-2020-2883 on May 10, less than two weeks after it was reported as exploited in-the-wild.

Solution

Customers are advised to apply all relevant patches provided by Oracle in this CPU. Please refer to the July 2020 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.