Oracle addresses 334 security vulnerabilities in Q1 Critical Patch Update

Oracle issues another monster collection of security patches - and urges users to update ASAP, if they know what's good for them

Oracle released its January 2020 quarterly Critical Patch Update (CPU) on Wednesday, addressing a total of 334 security flaws and bugs across the breadth of its product family.

In a pre-release announcement, the company said that some of the vulnerabilities affect multiple products, and customers must apply the new patches as soon as possible.

Attackers have been successful because targeted customers had failed to apply available Oracle patches

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," the advisory from Oracle stated.

"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay."

Out of 334 vulnerabilities fixed in January 2020 CPU, 43 are rated critical or severe with CVSS scores of 9.1 and above.

The update includes patches for 12 bugs in the Oracle Database Server versions 12.2.0.1, 18c, and 19c. Of them, three can be remotely exploited by attackers without requiring authentication. These bugs are CVE-2019-10072 (in Apache Tomcat), CVE-2020-2512 (in Oracle's database gateway) and CVE-2020-2510 (in Core RDBMS product).

Some of the most severe vulnerabilities were discovered in Oracle Communications Applications

Of all 12 vulnerabilities patched in Oracle Database Server, CVE-2020-2511 received the highest CVSS rating of 7.7 out of 10.

Some of the most severe vulnerabilities were discovered in Oracle Communications Applications, which received 25 patches in total. Of them 23 bugs are remotely exploitable without requiring authentication. Six of them were assigned CVSS scores of 9 or higher.

Oracle E-Business Suite was host to 23 CVE-listed bugs, 21 being remotely exploitable without authentication.

Fusion Middleware received patches for 38 vulnerabilities, of which 30 are remotely exploitable. Three flaws (CVE-2020-2551, CVE-2020-2555, CVE-2020-2546) were given CVSS scores of 9.8 out of 10, suggesting that system admins need to patch them immediately.

Oracle Enterprise Manager was the recipient of the largest number of patches (total 50), including fixes for 10 remotely exploitable vulnerabilities.

Solaris received 10 patches this time around, of which only two are remotely exploitable.

Other Oracle products that received patches this month include: MySQL, Oracle Supply Chain, PeopleSoft, Siebel CRM, Java SE, JD Edwards, Financial Services Applications, Construction and Engineering, Sun ZFS Storage Appliance Kit and more.