High Threat Security Alert (A20-04-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (April 2020)


 

Published on: 15 April 2020

Last update on: 04 May 2020

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 15 vulnerabilities identified in Java affecting multiple sub-components including Advanced Management Console, Concurrency, JSSE, JavaFX, Libraries, Lightweight HTTP Server, Scripting, Security and Serialization.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, MySQL Protocol, MySQL Workbench, Memcached Protocol, MLD, OracleNet or T3.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a local authenticated attacker could log on the infrastructure of the affected systems to exploit the vulnerabilities. A remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.

The vendor has received reports of exploitation attempts against recently patched vulnerabilities in Oracle products, including the remote code execution vulnerability (CVE-2020-2883) in Oracle WebLogic Server. Reports also indicated that proof-of-concept code is publicly available. Users are advised to take immediate action to apply the April 2020 Critical Patch Update to your affected systems to mitigate the elevated risk of cyber attacks. For systems hosted at outsourced platforms, system owners should confirm with the web hosting service providers that the relevant patch has been applied.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:

https://www.oracle.com/security-alerts/cpuapr2020.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u251 (JDK and JRE)
  • Java Platform SE 11.0.7 (JDK and JRE)
  • Java Platform SE 14.0.1 (JDK and JRE)
    https://www.oracle.com/technetwork/java/javase/downloads/index.html

Users could also access the security advisory below for the information about the security updates of other Oracle products:

https://www.oracle.com/security-alerts/cpuapr2020.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://blogs.oracle.com/security/apply-april-2020-cpu
https://www.us-cert.gov/ncas/current-activity/2020/05/01/unpatched-oracle-weblogic-servers-vulnerable-cve-2020-2883
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html
https://www.oracle.com/technetwork/java/javase/14u-relnotes-6361871.html
https://www.hkcert.org/my_url/en/alert/20041503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2733 (to CVE-2020-2735)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2737 (to CVE-2020-2791)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2793 (to CVE-2020-2915)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2920 (to CVE-2020-2947)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2949 (to CVE-2020-2956)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion
Tags