News

Latest Oracle CPU: 402 Patches on 29 Products, Java SE Gets a Breather with Only 8 CVEs

• By John K. Waters
• October 28, 2020

Oracle published its fourth quarter Critical Patch Update (CPU) advisory last week. The latest update cites 402 patches across its product groups, slightly fewer than last quarter, but double the vulnerability count from the same quarter last year. Vulnerabilities affecting Java SE were actually down this quarter, with only eight CVEs, the highest CVSS score of which was 5.3.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE (Common Vulnerability and Exposure) number. A score of between 7.0 and 8.9 is considered high.

According to an analysis by application security firm Waratek, This quarter's CPU impacts 28 product sets, 20 of which contain flaws with a CVSS rating of 9.8 or 10. A high percentage of CVEs in this advisory can be remotely exploited without user credentials including 100% of Java SE CVEs. The same is true of 93% of the vulnerabilities patched this week in Oracle E-Business Suite, 80% of those in PeopleSoft, and 78% in Fusion Middleware.

"What jumps out to me in this CPU is I see the typical ebb and flow of vulnerability research," said Waratek founder and CTO John Matthew Holt, in a statement. "This is reflected in the fluctuating vulnerability counts for individual products. So now when discussing priorities and best practices for patching, it's important to remind everyone that the recommendation from every software vendor, including Oracle, is to always apply all patches - that's for good reason. There is risk of complacency when CVSS scores in a patch for products like Java SE are lower. People might think to themselves, erroneously, there's no critical volumes this quarter, therefore, I don't need to do anything."

"But here's the thing," Holt added, "application security doesn't work that way. Bad actors are increasingly combining vulnerabilities together to weaponize exploits to achieve their nefarious objectives. The risk score is important, but what is more important is that users and operators of these applications maintain a consistent cadence of applying these fixes as soon as they are disclosed to avoid them being weaponized in combination with other vulnerabilities to achieve a devastating result."

Each Oracle quarterly CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

Oracle typically urges its customers to apply the security fixes in the latest CPU as soon as possible. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warns on its website. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Oracle publishes its patches on the Tuesday closest to the 17th of the month. This was the last quarterly update of 2020.