Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

3 mins to read

Oracle April 2020 Critical Patch Update

Justin Nelson

Director - Business Platform Transformation

Views
Larger Font
3 minutes to read

Oracle has released the April 2020 Critical Patch Update, which includes nearly 400 patches for known security vulnerabilities pertaining to its suite of products (ERP, EPM, DBMS, etc.). With this update, there has been an increased emphasis on applying these patches as soon as possible for organizations to remain on actively supported versions and instances. Delays in deploying these patches could lead to affected software or systems being vulnerable to attacks, even compromised data. Until the patches can be pushed, workarounds have been outlined to reduce these risks. Of these, two of note are:

  • blocking network protocols required by an attack, and
  • removing user access privileges from users not needing access in order to help reduce the risk of a successful attack (it was found that 264 patches addressed vulnerabilities when attempting to authenticate remotely).

Oracle strongly suggests that neither method should be considered as a long-term solution since they are only temporary workarounds.

A statement released by Oracle reveals:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”

What is a critical patch update and consideration before applying?

As explained and recommended by Oracle:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.

What do the patches consist of and what is impacted?

The April 2020 Critical Patch Update addresses 398 fixes for new security vulnerabilities across two dozen product families, including: Oracle Database Server, Oracle Fusion Middleware, Oracle Secure Backup, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle JDEdwards, Oracle Industry Applications (Communications, Construction and Engineering, Financial Services, Health Sciences, Food & Beverage, Retail, Utilities), Oracle Java SE, Oracle Support Tools, Oracle Virtualization, Oracle Graal VM, Oracle MySQL, and Oracle Systems.

The Common Vulnerability Scoring System (CVSS) is an industry standard that is used to assess the severity of computer system security vulnerabilities. The latest version of the standard, CVSS v3, considers vulnerabilities with a CVSS Base Score between 9.0 and 10.0 to have a rating of Critical, and vulnerabilities with a CVSS Base Score between 7.0 and 8.9, to have a rating of High.

Part of the Critical Patch Update includes patches for non-Oracle Common Vulnerabilities and Exposures, or CVEs (39%). These patches consist of security fixes for third-party products (e.g., open source components) that are included in traditional Oracle product distributions. The same CVE can be listed multiple times in the Critical Patch Update Advisory document because a vulnerable common component (e.g., Apache) may be present in many different Oracle products. This 39% breakdown means 157 of the 398 security patches provided by this update are for non-Oracle CVEs, and 105 of those 157 are for high and critical vulnerabilities.

Based on a review performed by Security Week, roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8 and 90 vulnerabilities have a CVSS score of 8.0 or higher. From an application perspective, Oracle E-Business Suite was the largest application to be affected with 74 security patches, and 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none have a critical severity rating, most of them are considered high risk bugs — 62 have a CVSS score of 8.1 or higher.

What is the risk for my organization?

According to Oracle’s vulnerability disclosure policies, Oracle will not provide results of the risk analysis performed for each security vulnerability addressed in the latest Critical Patch Update; however, Oracle will provide risk matrices to help customers conduct their own risk analysis assessments based on independent usage of Oracle products. The risk matrices and associated support documentation provide information help to provide details around the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit.

How do I prepare for future updates?

Like any mature patch management/IT change management process, patches should be appropriately tested, approved and applied routinely to minimize interruptions and impacts to business operations while maintaining a secure IT environment. Generally, prerequisites or dependencies around security patching is well covered by Oracle; however, it is advised that organizations check with Oracle to ensure that all pre-requisites or dependencies required for the upcoming Critical Patch Update releases are present within the respective environment(s). Below are the next four release schedules that are due to occur on the Tuesday closest to the 17th day of the month:

  • 14 July 2020
  • 20 October 2020
  • 19 January 2021
  • 20 April 2021

For more details on each of the April 2020 patches and the associated risk matrices (these matrices only depict the security vulnerabilities newly addressed by this update), please visit this link:

https://www.oracle.com/security-alerts/cpuapr2020.html

For questions related to any of the historical releases, please reference the below link:

https://www.oracle.com/security-alerts/#CriticalPatchUpdates

For more information on Protiviti’s Oracle solutions, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

Justin Nelson

By Justin Nelson

Verified Expert at Protiviti

Visit Justin Nelson's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

For all of its advantages, Software as a Service (SaaS) has introduced licensing considerations that were nonexistent with on-premises enterprise...

Article

What is it about

Oracle Fusion Cloud transformations often result in major efficiencies and procedural improvements for adopting organizations – end results often include...

Article

What is it about

Many organizations that have implemented Oracle Hyperion version 11.1.X may be aware that some (or many) of their Hyperion application...