Security Alert (A20-01-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (January 2020)


 

Published on: 15 January 2020

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 12 vulnerabilities identified in Java affecting multiple sub-components including JavaFX, JSSE, Libraries, Networking, Security and Serialization. All of them could be remotely exploited without authentication.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, IIOP, Kerberos, Local Logon, MySQL Protocol, MySQL Workbench, OracleNet, SMB, SSH, T3, TCP, TCPS, TLS or XMPP over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:
https://www.oracle.com/security-alerts/cpujan2020.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available.  Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

Patches for the Oracle Java SE products are available at following URL:

  • Java Platform SE 8u241 (JDK and JRE),
  • Java Platform SE 11.0.6 (JDK and JRE),
  • Java Platform SE 13.0.2 (JDK and JRE)

https://www.oracle.com/technetwork/java/javase/downloads/index.html

Users could also access the security advisory below for the information about the security updates of other Oracle products:
https://www.oracle.com/security-alerts/cpujan2020.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html
https://www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html
https://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/20011503
https://www.us-cert.gov/ncas/current-activity/2020/01/14/oracle-releases-january-2020-security-bulletin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000376
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2510 (to CVE-2020-2512)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2515 (to CVE-2020-2519)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2533 (to CVE-2020-2552)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2555 (to CVE-2020-2561)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2563 (to CVE-2020-2574)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2576 (to CVE-2020-2593)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2595 (to CVE-2020-2705)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2709 (to CVE-2020-2731)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6950

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion
Tags