273 vulnerabilities are remotely exploitable without authentication…
Oracle users, brace yourselves: an eye-watering 405 new security vulnerabilities need patching, with the avalanche of software updates arriving later today (April 14, 2020).
Over half of them, or a total of 273, are potentially remotely exploitable without authentication, Oracle warned – suggesting some major patching sessions ahead.
The release is part of the company’s quarterly set of security advisories, with initial details provided by the company so customers can assess whether they are impacted.
Among them, a chunky 34 new security patches for Oracle’s suite of financial services applications, 16 of could be abused over a network without requiring user credentials.
In a sign of how serious some of the financial services application vulnerabilities are likely to be, they include one with a CVSS score of a critical 9.8, suggesting both high impact and easy exploitability. More details are to follow from Oracle late today.
(CVSS, or the Common Vulnerability Scoring System is an open industry standard to assess the severity of computer system security vulnerabilities).
Oracle Security Patches
Among the ones to look out for:
A chunky 74 new security patches for the Oracle E-Business Suite, the vast majority of which (71) are potentially remotely exploitable without authentication.
Further, two remotely exploitable bugs in Oracle Support Tools with a highly critical CVSS score of 9.8. (Oracle provides hundreds of tools to automate and or optimise manual support processes/conduct diagnostics. Details on precisely which is effected will, again, be revealed when the patches land late April 14).
Also standing out: 45 new security patches for Oracle’s widely deployed MySQL database; nine of which are potentially remotely exploitable without authentication.
The worst, again, has a critical CVSS score of 9.8.
- MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior
- MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior
- MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior
- MySQL Enterprise Monitor, versions 220.127.116.1131 and prior, 18.104.22.1687 and prior
- MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
- MySQL Workbench, versions 8.0.19 and prior
With 56 new security patches for Oracle Fusion Middleware, 49 of which are again able to be abused by a bad actor over a network without authentication, ditto for 35 vulns in Oracle Communications Applications (spanning Services Gatekeeper, WebRTC Session Controller and more) sysadmins/IT teams look set for a busy Tuesday evening.
Computer Business Review will bring you more details when the full set of bug fixes lands. Here’s the full overview meanwhile for a quick assessment.
See also: Software Patch Management: Tips, Tricks and Stern Warnings