High Threat Security Alert (A20-10-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (October 2020)


 

Published on: 21 October 2020

Last update on: 04 November 2020

  
  

Description:

Oracle has released the Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.  The list of security updates can be found at:

https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle has released an out-of-band security update to address another remote code execution vulnerability (CVE-2020-14750) in Oracle WebLogic server. A proof-of-concept (PoC) code exploiting CVE-2020-14750 is publicly available. System administrator are advised to apply the latest security patch on the affected systems immediately to mitigate the elevated risk of cyber attacks.

Reports indicate that active exploitation against a critical vulnerability (CVE-2020-14882) for remote code execution in Oracle WebLogic server have been observed. In view of the elevated risk of cyber attacks, system administrators should accord priority to patch this particular vulnerability immediately.

Before the patch could be applied, system administrators should ensure that the admin portal (TCP port 7001 by default) is not exposed to the Internet and keep blocking access to the admin portal from untrusted network, review application logs for suspicious HTTP requests including double-encoded path traversal ‘%252E%252E%252F’ to admin portal console, and monitor any suspicious processes created by an application.

 

Affected Systems:

  • Oracle Java SE
  • OpenJDK
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:
https://www.oracle.com/security-alerts/cpuoct2020.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure, system crash or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available.  Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u271 (JDK and JRE)
  • Java Platform SE 11.0.9 (JDK and JRE)
  • Java Platform SE 15.0.1 (JDK and JRE)

https://www.oracle.com/java/technologies/javase-downloads.html

For OpenJDK, please refer to the following link:
https://jdk.java.net/

Users could also access the security advisory below for the information about the security updates of other Oracle products:
https://www.oracle.com/security-alerts/cpuoct2020.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
https://us-cert.cisa.gov/ncas/current-activity/2020/11/02/oracle-releases-out-band-security-alert
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750
https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/
https://twitter.com/testanull/status/1321390624042442753
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/java/technologies/javase/8u271-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-9-relnotes.html
https://www.oracle.com/java/technologies/javase/15-0-1-relnotes.html
https://openjdk.java.net/groups/vulnerability/advisories/2020-10-20
https://www.hkcert.org/my_url/en/alert/20102103
https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/oracle-releases-october-2020-security-bulletin-0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14734 (to CVE-2020-14736)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14740 (to CVE-2020-14746)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14752 (to CVE-2020-14754)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14757 (to CVE-2020-14873)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14875 (to CVE-2020-14901)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15389

 



Tag: Oracle , Java , OpenJDK , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion
Tags