Oracle has released the April 2020 Critical Patch Update, which includes nearly 400 patches for known security vulnerabilities pertaining to its suite of products (ERP, EPM, DBMS, etc.). With this update, there has been an increased emphasis on applying these patches as soon as possible for organizations to remain on actively supported versions and instances. Delays in deploying these patches could lead to affected software or systems being vulnerable to attacks, even compromised data. Until the patches can be pushed, workarounds have been outlined to reduce these risks. Of these, two of note are:
- blocking network protocols required by an attack, and
- removing user access privileges from users not needing access in order to help reduce the risk of a successful attack (it was found that 264 patches addressed vulnerabilities when attempting to authenticate remotely).
Oracle strongly suggests that neither method should be considered as a long-term solution since they are only temporary workarounds.
A statement released by Oracle reveals:
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”
What is a critical patch update and consideration before applying?
As explained and recommended by Oracle:
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.
What do the patches consist of and what is impacted?
The April 2020 Critical Patch Update addresses 398 fixes for new security vulnerabilities across two dozen product families, including: Oracle Database Server, Oracle Fusion Middleware, Oracle Secure Backup, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle JDEdwards, Oracle Industry Applications (Communications, Construction and Engineering, Financial Services, Health Sciences, Food & Beverage, Retail, Utilities), Oracle Java SE, Oracle Support Tools, Oracle Virtualization, Oracle Graal VM, Oracle MySQL, and Oracle Systems.
The Common Vulnerability Scoring System (CVSS) is an industry standard that is used to assess the severity of computer system security vulnerabilities. The latest version of the standard, CVSS v3, considers vulnerabilities with a CVSS Base Score between 9.0 and 10.0 to have a rating of Critical, and vulnerabilities with a CVSS Base Score between 7.0 and 8.9, to have a rating of High.
Part of the Critical Patch Update includes patches for non-Oracle Common Vulnerabilities and Exposures, or CVEs (39%). These patches consist of security fixes for third-party products (e.g., open source components) that are included in traditional Oracle product distributions. The same CVE can be listed multiple times in the Critical Patch Update Advisory document because a vulnerable common component (e.g., Apache) may be present in many different Oracle products. This 39% breakdown means 157 of the 398 security patches provided by this update are for non-Oracle CVEs, and 105 of those 157 are for high and critical vulnerabilities.
Based on a review performed by Security Week, roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8 and 90 vulnerabilities have a CVSS score of 8.0 or higher. From an application perspective, Oracle E-Business Suite was the largest application to be affected with 74 security patches, and 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none have a critical severity rating, most of them are considered high risk bugs — 62 have a CVSS score of 8.1 or higher.
What is the risk for my organization?
According to Oracle’s vulnerability disclosure policies, Oracle will not provide results of the risk analysis performed for each security vulnerability addressed in the latest Critical Patch Update; however, Oracle will provide risk matrices to help customers conduct their own risk analysis assessments based on independent usage of Oracle products. The risk matrices and associated support documentation provide information help to provide details around the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit.
How do I prepare for future updates?
Like any mature patch management/IT change management process, patches should be appropriately tested, approved and applied routinely to minimize interruptions and impacts to business operations while maintaining a secure IT environment. Generally, prerequisites or dependencies around security patching is well covered by Oracle; however, it is advised that organizations check with Oracle to ensure that all pre-requisites or dependencies required for the upcoming Critical Patch Update releases are present within the respective environment(s). Below are the next four release schedules that are due to occur on the Tuesday closest to the 17th day of the month:
- 14 July 2020
- 20 October 2020
- 19 January 2021
- 20 April 2021
For more details on each of the April 2020 patches and the associated risk matrices (these matrices only depict the security vulnerabilities newly addressed by this update), please visit this link:
https://www.oracle.com/security-alerts/cpuapr2020.html
For questions related to any of the historical releases, please reference the below link:
https://www.oracle.com/security-alerts/#CriticalPatchUpdates
For more information on Protiviti’s Oracle solutions, contact us.