Oracle Critical Patch Update January 2020

28 January 2020
Job Vacancy Image

What Does Oracle's Latest CPU Mean for Your Organization?

By James Anthony, CTO, Inoapps

Oracle’s latest Critical Patch Update (CPU) was released on Wednesday 15th January 2020. It addressed 334 security vulnerabilities, in addition to previously released patches, across the Oracle product range.

  • 35% (117 vulnerabilities) of the patches are based on non-Oracle components used within Oracle products (e.g.: Oracle HTTP Server uses Apache)
  • 27 of these are high or critical vulnerabilities
  • Many of these are used in multiple Oracle products

Our evaluation of the CPU has identified some important fixes and we want to let you know about the impact of these disclosed vulnerabilities for you:

Oracle E-Business Suite

  • 23 new vulnerabilities — highest score of 9.9- CRITICAL
    Database
  • 12 new vulnerabilities (Highest of which scores 7.7 on the CVSS score)
    Enterprise Manager/Grid Control
  • 50 new vulnerabilities — 10 are remotely exploitable without authentication, (highest score in 9.8 out of 10!)

Fusion Middleware

  • 38 new vulnerabilities — 30 are remotely exploitable without authentication, (highest score in 9.8 out of 10!)

Note: Fusion Middleware is often exposed to the internet so is often the highest risk. This patch update includes the two recent 9.8 alerts for WebLogic. It is important to note that WebLogic is often embedded in other Oracle products so these may also be vulnerable e.g. Oracle Enterprise Manager, Oracle Exadata and Oracle VM Manager, all have upgrades released to overcome these vulnerabilities.


Oracle PeopleSoft

  • 15 security updates with the highest score of 9.8 – CRITICAL Oracle Systems (hardware)
  • 17 new security updates, 8 of which are exploitable remotely without authentication!
  • 2 new vulnerabilities for Oracle Hyperion, 19 new MySQL vulnerabilities.


So, what does this mean for you?

Security is an increasingly important focus for all organizations, whether in a highly regulated industry, based on GDPR compliance, or “simply” as part of good corporate governance. As such, even though there will be no new functionality as a result of these updates, Oracle’s regular patching, especially in response to published vulnerabilities, is the cornerstone of any security set-up. It protects reputations, confidence, data and ultimately your organization.

If you would like to discuss this latest CPU and how it affects you in more detail, please contact your Account Manager or email us for more information.

Share this