Oracle

Oracle April 2020 Critical Patch Update

Lauren KayJustin Nelson
April 27, 2020
5 min read

Oracle has released the April 2020 Critical Patch Update, which includes nearly 400 patches for known security vulnerabilities pertaining to its suite of products (ERP, EPM, DBMS, etc.). With this update, there has been an increased emphasis on applying these patches as soon as possible for organizations to remain on actively supported versions and instances. Delays in deploying these patches could lead to affected software or systems being vulnerable to attacks, even compromised data. Until the patches can be pushed, workarounds have been outlined to reduce these risks. Of these, two of note are:

  • blocking network protocols required by an attack, and
  • removing user access privileges from users not needing access in order to help reduce the risk of a successful attack (it was found that 264 patches addressed vulnerabilities when attempting to authenticate remotely).

Oracle strongly suggests that neither method should be considered as a long-term solution since they are only temporary workarounds.

A statement released by Oracle reveals:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”

What is a critical patch update and consideration before applying?

As explained and recommended by Oracle:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches.

What do the patches consist of and what is impacted?

The April 2020 Critical Patch Update addresses 398 fixes for new security vulnerabilities across two dozen product families, including: Oracle Database Server, Oracle Fusion Middleware, Oracle Secure Backup, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle JDEdwards, Oracle Industry Applications (Communications, Construction and Engineering, Financial Services, Health Sciences, Food & Beverage, Retail, Utilities), Oracle Java SE, Oracle Support Tools, Oracle Virtualization, Oracle Graal VM, Oracle MySQL, and Oracle Systems.

The Common Vulnerability Scoring System (CVSS) is an industry standard that is used to assess the severity of computer system security vulnerabilities. The latest version of the standard, CVSS v3, considers vulnerabilities with a CVSS Base Score between 9.0 and 10.0 to have a rating of Critical, and vulnerabilities with a CVSS Base Score between 7.0 and 8.9, to have a rating of High.

Part of the Critical Patch Update includes patches for non-Oracle Common Vulnerabilities and Exposures, or CVEs (39%). These patches consist of security fixes for third-party products (e.g., open source components) that are included in traditional Oracle product distributions. The same CVE can be listed multiple times in the Critical Patch Update Advisory document because a vulnerable common component (e.g., Apache) may be present in many different Oracle products. This 39% breakdown means 157 of the 398 security patches provided by this update are for non-Oracle CVEs, and 105 of those 157 are for high and critical vulnerabilities.

Based on a review performed by Security Week, roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8 and 90 vulnerabilities have a CVSS score of 8.0 or higher. From an application perspective, Oracle E-Business Suite was the largest application to be affected with 74 security patches, and 70 of the vulnerabilities being remotely exploitable by unauthenticated attackers. While none have a critical severity rating, most of them are considered high risk bugs — 62 have a CVSS score of 8.1 or higher.

What is the risk for my organization?

According to Oracle’s vulnerability disclosure policies, Oracle will not provide results of the risk analysis performed for each security vulnerability addressed in the latest Critical Patch Update; however, Oracle will provide risk matrices to help customers conduct their own risk analysis assessments based on independent usage of Oracle products. The risk matrices and associated support documentation provide information help to provide details around the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit.

How do I prepare for future updates?

Like any mature patch management/IT change management process, patches should be appropriately tested, approved and applied routinely to minimize interruptions and impacts to business operations while maintaining a secure IT environment. Generally, prerequisites or dependencies around security patching is well covered by Oracle; however, it is advised that organizations check with Oracle to ensure that all pre-requisites or dependencies required for the upcoming Critical Patch Update releases are present within the respective environment(s). Below are the next four release schedules that are due to occur on the Tuesday closest to the 17th day of the month:

  • 14 July 2020
  • 20 October 2020
  • 19 January 2021
  • 20 April 2021

For more details on each of the April 2020 patches and the associated risk matrices (these matrices only depict the security vulnerabilities newly addressed by this update), please visit this link:

https://www.oracle.com/security-alerts/cpuapr2020.html

For questions related to any of the historical releases, please reference the below link:

https://www.oracle.com/security-alerts/#CriticalPatchUpdates

For more information on Protiviti’s Oracle solutions, contact us.

Lauren Kay

Senior Manager
Enterprise Application Solutions

View all posts

Justin Nelson

Associate Director
Technology Consulting - Enterprise Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More