Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Oracle Critical Patch Update for October 2020 Addresses 402 Security Updates

Oracle’s latest Critical Patch Update surpasses the 400 mark for the second time this year with 402 security patches addressing 230 CVEs, including numerous critical vulnerabilities in Oracle Fusion Middleware products.

Background

On October 20, Oracle released the Critical Patch Update (CPU) Advisory for October 2020, its final quarterly release of security patches for the year. This update contains fixes for 230 CVEs in 402 security patches across 27 Oracle product families. This quarter’s update marks the second-highest count in Oracle CPUs, surpassed only by the July 2020 update which holds the record with over 440 patches.

* Chart is accurate as of October 21, 2020

Analysis

This quarter’s CPU includes 35 critically rated CVEs across a wide range of Oracle products. The table below lists the product families with vulnerabilities addressed in this month’s release along with the number of vulnerabilities that are remotely exploitable without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without Auth
Oracle Financial Services Applications5349
Oracle MySQL534
Oracle Communications5241
Oracle Fusion Middleware4636
Oracle Retail Applications2825
Oracle E-Business Suite2725
Oracle Database Server184
Oracle PeopleSoft1512
Oracle Enterprise Manager1110
Oracle Communications Applications98
Oracle Construction and Engineering97
Oracle Hyperion91
Oracle Java SE88
Oracle Systems83
Oracle Virtualization70
Oracle Hospitality Applications63
Oracle Insurance Applications66
Oracle Policy Automation66
Oracle REST Data Services52
Oracle Utilities Applications53
Oracle TimesTen In-Memory Database44
Oracle Food and Beverage Applications43
Oracle Health Sciences Applications44
Oracle Supply Chain43
Oracle Siebel CRM33
Oracle Big Data Graph11
Oracle GraalVM11

* Table is accurate as of October 21, 2020

Notable Vulnerabilities

Considering the large number of patches released in this CPU, it may be hard to digest, filter and prioritize these vulnerabilities. However, a few Oracle WebLogic Server vulnerabilities are of note due to their criticality and potential for being targeted by attackers.

CVE-2020-14825, CVE-2020-14841, CVE-2020-14859 | Oracle WebLogic Server - Component: Core

CVE-2020-14825, CVE-2020-14841 and CVE-2020-14859 are vulnerabilities in the Core component of Oracle WebLogic Server. Oracle has classified these vulnerabilities as “easily exploitable” as they would allow an unauthenticated attacker with network access via Oracle’s T3 or Internet Inter-ORB Protocol (IIOP) to compromise the server. All three vulnerabilities affect versions 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. CVE-2020-14841 and CVE-2020-14859 also affect versions 10.3.6.0.0 and 12.1.3.0.0.

CVE-2002-14841 Proof of Concept

On October 21, security researcher Hamid Kashfi shared a proof of concept (PoC) for CVE-2020-14841 in a tweet stating “Another Oracle Tomcat JNDI bypass: CVE-2020-14841.”

CVE-2020-14882 | Oracle WebLogic Server - Component: Console

CVE-2020-14882 is a vulnerability in the Console component of Oracle WebLogic Server. Oracle has highlighted this vulnerability as “easily exploitable” as it would allow an unauthenticated attacker to compromise the Oracle WebLogic server over HTTP resulting in the takeover of the targeted server. This vulnerability affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

CVE-2019-17267 | Oracle WebLogic Server - Component: Centralized Thirdparty Jars (jackson-databind)

CVE-2019-17267 is a vulnerability in the Centralized Thirdparty Jars (jackson-databind) component of Oracle WebLogic Server. Oracle notes that this vulnerability is “easily exploitable” and would allow an unauthenticated attacker with network access over HTTP to compromise and take over a targeted server. Version 12.2.1.3.0 is the only version affected by this vulnerability.

Oracle has assigned all five of the vulnerabilities discussed in this section a CVSSv3.1 score of 9.8 due to their impact and ease of exploitation. Oracle WebLogic Server vulnerabilities have appeared in every Oracle CPU this year.

Oracle WebLogic Servers have always been a prime target for threat actors. On April 30,, Oracle published a blog post warning of in-the-wild exploitation of CVE-2020-2883, a deserialization vulnerability in the Oracle Coherence library of Oracle WebLogic Server that was patched in the April 2020 Oracle CPU. CVE-2020-2883 is a patch bypass of CVE-2020-2555, another deserialization vulnerability in Oracle Web Server, which was included in the January 2020 CPU.

Less than a week after the July 2020 Oracle CPU, a PoC was released for CVE-2020-14645, another vulnerability affecting the Core component of Oracle WebLogic Server. Based on this consistent interest in WebLogic Server from threat actors and researchers, we expect to see additional patches and perhaps PoCs for this product in the future.

Solution

Customers are advised to apply all relevant patches in this CPU. Please refer to the October 2020 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.